# Flog Txt Version 1
# Analyzer Version: 4.4.1
# Analyzer Build Date: Jan 14 2022 06:06:11
# Log Creation Date: 31.01.2022 10:08:28.690
Process:
id = "1"
image_name = "35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe"
filename = "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe"
page_root = "0x732a3000"
os_pid = "0xfd4"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "analysis_target"
parent_id = "0"
os_parent_pid = "0x618"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe\" "
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 117
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 118
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 119
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 120
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 121
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 122
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 123
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001b0000"
filename = ""
Region:
id = 124
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 125
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 126
start_va = 0x400000
end_va = 0x489fff
monitored = 1
entry_point = 0x484132
region_type = mapped_file
name = "35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe")
Region:
id = 127
start_va = 0x77b90000
end_va = 0x77d0afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 128
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 129
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 130
start_va = 0x7fff0000
end_va = 0x7ffd504cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 131
start_va = 0x7ffd504d0000
end_va = 0x7ffd50690fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 132
start_va = 0x7ffd50691000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffd50691000"
filename = ""
Region:
id = 270
start_va = 0x630000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000630000"
filename = ""
Region:
id = 271
start_va = 0x6edd0000
end_va = 0x6ee1ffff
monitored = 0
entry_point = 0x6ede8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 272
start_va = 0x6ee20000
end_va = 0x6ee99fff
monitored = 0
entry_point = 0x6ee33290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 273
start_va = 0x74f30000
end_va = 0x7500ffff
monitored = 0
entry_point = 0x74f43980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 274
start_va = 0x6eea0000
end_va = 0x6eea7fff
monitored = 0
entry_point = 0x6eea17c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 275
start_va = 0x640000
end_va = 0x8dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 276
start_va = 0x6cdf0000
end_va = 0x6ce48fff
monitored = 1
entry_point = 0x6ce00780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 277
start_va = 0x74f30000
end_va = 0x7500ffff
monitored = 0
entry_point = 0x74f43980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 278
start_va = 0x76ad0000
end_va = 0x76c4dfff
monitored = 0
entry_point = 0x76b81b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 279
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 280
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 281
start_va = 0x490000
end_va = 0x54dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 282
start_va = 0x640000
end_va = 0x77ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 283
start_va = 0x7e0000
end_va = 0x8dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007e0000"
filename = ""
Region:
id = 284
start_va = 0x74810000
end_va = 0x748a1fff
monitored = 0
entry_point = 0x74850380
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll")
Region:
id = 285
start_va = 0x7fb00000
end_va = 0x7fea0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sysmain.sdb"
filename = "\\Windows\\AppPatch\\sysmain.sdb" (normalized: "c:\\windows\\apppatch\\sysmain.sdb")
Region:
id = 286
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 287
start_va = 0x77b10000
end_va = 0x77b8afff
monitored = 0
entry_point = 0x77b2e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 288
start_va = 0x74a10000
end_va = 0x74acdfff
monitored = 0
entry_point = 0x74a45630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 289
start_va = 0x550000
end_va = 0x58ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 290
start_va = 0x640000
end_va = 0x73ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 291
start_va = 0x770000
end_va = 0x77ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000770000"
filename = ""
Region:
id = 292
start_va = 0x76c50000
end_va = 0x76c93fff
monitored = 0
entry_point = 0x76c69d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 293
start_va = 0x74e80000
end_va = 0x74f2cfff
monitored = 0
entry_point = 0x74e94f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 294
start_va = 0x748c0000
end_va = 0x748ddfff
monitored = 0
entry_point = 0x748cb640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 295
start_va = 0x748b0000
end_va = 0x748b9fff
monitored = 0
entry_point = 0x748b2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 296
start_va = 0x77680000
end_va = 0x776d7fff
monitored = 0
entry_point = 0x776c25c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 297
start_va = 0x1d0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 298
start_va = 0x6ccc0000
end_va = 0x6cd38fff
monitored = 1
entry_point = 0x6cccf82a
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 299
start_va = 0x77590000
end_va = 0x775d4fff
monitored = 0
entry_point = 0x775ade90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 300
start_va = 0x752b0000
end_va = 0x7546cfff
monitored = 0
entry_point = 0x75392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 301
start_va = 0x77440000
end_va = 0x7758efff
monitored = 0
entry_point = 0x774f6820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 302
start_va = 0x750d0000
end_va = 0x75216fff
monitored = 0
entry_point = 0x750e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 303
start_va = 0x590000
end_va = 0x5b9fff
monitored = 0
entry_point = 0x595680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 304
start_va = 0x8e0000
end_va = 0xa67fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008e0000"
filename = ""
Region:
id = 305
start_va = 0x75660000
end_va = 0x7568afff
monitored = 0
entry_point = 0x75665680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 306
start_va = 0x30000
end_va = 0x30fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 307
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 308
start_va = 0x1f0000
end_va = 0x1fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 309
start_va = 0x590000
end_va = 0x612fff
monitored = 1
entry_point = 0x614132
region_type = mapped_file
name = "35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe")
Region:
id = 310
start_va = 0xa70000
end_va = 0xbf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a70000"
filename = ""
Region:
id = 311
start_va = 0xc00000
end_va = 0x1ffffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c00000"
filename = ""
Region:
id = 312
start_va = 0x77320000
end_va = 0x7732bfff
monitored = 0
entry_point = 0x77323930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 313
start_va = 0x6eeb0000
end_va = 0x6eeb7fff
monitored = 0
entry_point = 0x6eeb17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 314
start_va = 0x6c050000
end_va = 0x6c700fff
monitored = 1
entry_point = 0x6c065d20
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 315
start_va = 0x6cbc0000
end_va = 0x6ccb4fff
monitored = 0
entry_point = 0x6cc14160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 316
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 317
start_va = 0x590000
end_va = 0x59ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000590000"
filename = ""
Region:
id = 318
start_va = 0x5a0000
end_va = 0x5affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 319
start_va = 0x5b0000
end_va = 0x5bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005b0000"
filename = ""
Region:
id = 320
start_va = 0x5c0000
end_va = 0x5cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005c0000"
filename = ""
Region:
id = 321
start_va = 0x5d0000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005d0000"
filename = ""
Region:
id = 322
start_va = 0x5e0000
end_va = 0x5effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005e0000"
filename = ""
Region:
id = 323
start_va = 0x5f0000
end_va = 0x5f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005f0000"
filename = ""
Region:
id = 324
start_va = 0x600000
end_va = 0x600fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 325
start_va = 0x2000000
end_va = 0x21cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 326
start_va = 0x2000000
end_va = 0x20cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 327
start_va = 0x21c0000
end_va = 0x21cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021c0000"
filename = ""
Region:
id = 328
start_va = 0x780000
end_va = 0x7bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000780000"
filename = ""
Region:
id = 329
start_va = 0x21d0000
end_va = 0x22cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021d0000"
filename = ""
Region:
id = 330
start_va = 0x610000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000610000"
filename = ""
Region:
id = 331
start_va = 0x22d0000
end_va = 0x42cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000022d0000"
filename = ""
Region:
id = 332
start_va = 0x2000000
end_va = 0x209ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 333
start_va = 0x20c0000
end_va = 0x20cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020c0000"
filename = ""
Region:
id = 334
start_va = 0x20d0000
end_va = 0x210ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020d0000"
filename = ""
Region:
id = 335
start_va = 0x42d0000
end_va = 0x43cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000042d0000"
filename = ""
Region:
id = 336
start_va = 0x43d0000
end_va = 0x4706fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 337
start_va = 0x6ae20000
end_va = 0x6c047fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll")
Region:
id = 338
start_va = 0x74ad0000
end_va = 0x74bbafff
monitored = 0
entry_point = 0x74b0d650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 339
start_va = 0x2110000
end_va = 0x21a0fff
monitored = 0
entry_point = 0x2148cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 340
start_va = 0x70970000
end_va = 0x709e4fff
monitored = 0
entry_point = 0x709a9a60
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll")
Region:
id = 341
start_va = 0x740000
end_va = 0x76ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000740000"
filename = ""
Region:
id = 342
start_va = 0x610000
end_va = 0x61ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000610000"
filename = ""
Region:
id = 343
start_va = 0x620000
end_va = 0x62ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000620000"
filename = ""
Region:
id = 344
start_va = 0x6cd70000
end_va = 0x6cdedfff
monitored = 1
entry_point = 0x6cd71140
region_type = mapped_file
name = "clrjit.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll")
Region:
id = 345
start_va = 0x74d80000
end_va = 0x74e11fff
monitored = 0
entry_point = 0x74db8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 346
start_va = 0x740000
end_va = 0x74ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000740000"
filename = ""
Region:
id = 347
start_va = 0x760000
end_va = 0x76ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000760000"
filename = ""
Region:
id = 348
start_va = 0x6a470000
end_va = 0x6ae1bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\cc4e5d110dd318e8b7d61a9ed184ab74\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\cc4e5d110dd318e8b7d61a9ed184ab74\\system.ni.dll")
Region:
id = 349
start_va = 0x6ca30000
end_va = 0x6cbbcfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.drawing.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\9b645a48c9bcfc95aaadf6a069bb4ebe\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\9b645a48c9bcfc95aaadf6a069bb4ebe\\system.drawing.ni.dll")
Region:
id = 350
start_va = 0x69810000
end_va = 0x6a468fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.windows.forms.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\8cd2187094ba6cade0ca0fab4f932654\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\8cd2187094ba6cade0ca0fab4f932654\\system.windows.forms.ni.dll")
Region:
id = 351
start_va = 0x750000
end_va = 0x750fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000750000"
filename = ""
Region:
id = 352
start_va = 0x750000
end_va = 0x751fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000750000"
filename = ""
Region:
id = 353
start_va = 0x2110000
end_va = 0x219efff
monitored = 0
entry_point = 0x211dd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 354
start_va = 0x6c990000
end_va = 0x6ca21fff
monitored = 0
entry_point = 0x6c99dd60
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.10586.0_none_811bc0006c44242b\\comctl32.dll")
Region:
id = 355
start_va = 0x4710000
end_va = 0x485ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004710000"
filename = ""
Region:
id = 356
start_va = 0x7c0000
end_va = 0x7c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007c0000"
filename = ""
Region:
id = 357
start_va = 0x4710000
end_va = 0x47cbfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004710000"
filename = ""
Region:
id = 358
start_va = 0x4850000
end_va = 0x485ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004850000"
filename = ""
Region:
id = 359
start_va = 0x7c0000
end_va = 0x7c3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007c0000"
filename = ""
Region:
id = 360
start_va = 0x7d0000
end_va = 0x7d3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000007d0000"
filename = ""
Region:
id = 361
start_va = 0x4860000
end_va = 0x4a6afff
monitored = 0
entry_point = 0x490b0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 362
start_va = 0x6f4a0000
end_va = 0x6f6aefff
monitored = 0
entry_point = 0x6f54b0a0
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_d3c2e4e965da4528\\comctl32.dll")
Region:
id = 363
start_va = 0x20a0000
end_va = 0x20a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 364
start_va = 0x20b0000
end_va = 0x20b1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000020b0000"
filename = ""
Region:
id = 365
start_va = 0x4860000
end_va = 0x4a3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004860000"
filename = ""
Region:
id = 366
start_va = 0x70720000
end_va = 0x7073cfff
monitored = 0
entry_point = 0x70723b10
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll")
Region:
id = 367
start_va = 0x20a0000
end_va = 0x20affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020a0000"
filename = ""
Region:
id = 368
start_va = 0x2110000
end_va = 0x211ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002110000"
filename = ""
Region:
id = 369
start_va = 0x2120000
end_va = 0x212ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002120000"
filename = ""
Region:
id = 370
start_va = 0x2130000
end_va = 0x213ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002130000"
filename = ""
Region:
id = 371
start_va = 0x2140000
end_va = 0x214ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002140000"
filename = ""
Region:
id = 372
start_va = 0x2150000
end_va = 0x215ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002150000"
filename = ""
Region:
id = 373
start_va = 0x2160000
end_va = 0x216ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002160000"
filename = ""
Region:
id = 374
start_va = 0x2170000
end_va = 0x217ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002170000"
filename = ""
Region:
id = 375
start_va = 0x6c820000
end_va = 0x6c98afff
monitored = 0
entry_point = 0x6c88e360
region_type = mapped_file
name = "gdiplus.dll"
filename = "\\Windows\\WinSxS\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.10586.0_none_538a540779726150\\gdiplus.dll")
Region:
id = 376
start_va = 0x4860000
end_va = 0x49cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004860000"
filename = ""
Region:
id = 377
start_va = 0x4a30000
end_va = 0x4a3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a30000"
filename = ""
Region:
id = 378
start_va = 0x2110000
end_va = 0x214ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002110000"
filename = ""
Region:
id = 379
start_va = 0x4860000
end_va = 0x495ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004860000"
filename = ""
Region:
id = 380
start_va = 0x49c0000
end_va = 0x49cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000049c0000"
filename = ""
Region:
id = 381
start_va = 0x74c60000
end_va = 0x74d7efff
monitored = 0
entry_point = 0x74ca5980
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll")
Region:
id = 382
start_va = 0x6f060000
end_va = 0x6f250fff
monitored = 0
entry_point = 0x6f143cd0
region_type = mapped_file
name = "dwrite.dll"
filename = "\\Windows\\SysWOW64\\DWrite.dll" (normalized: "c:\\windows\\syswow64\\dwrite.dll")
Region:
id = 383
start_va = 0x2150000
end_va = 0x2198fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Region:
id = 384
start_va = 0x20a0000
end_va = 0x20a3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020a0000"
filename = ""
Region:
id = 385
start_va = 0x4a40000
end_va = 0x5a3ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 386
start_va = 0x21a0000
end_va = 0x21a3fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000021a0000"
filename = ""
Region:
id = 387
start_va = 0x5a40000
end_va = 0x5b3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a40000"
filename = ""
Region:
id = 388
start_va = 0x5b40000
end_va = 0x5c3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005b40000"
filename = ""
Region:
id = 389
start_va = 0x5c40000
end_va = 0x6131fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005c40000"
filename = ""
Region:
id = 390
start_va = 0x6140000
end_va = 0x61fcfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "micross.ttf"
filename = "\\Windows\\Fonts\\micross.ttf" (normalized: "c:\\windows\\fonts\\micross.ttf")
Region:
id = 391
start_va = 0x6200000
end_va = 0x65fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006200000"
filename = ""
Region:
id = 392
start_va = 0x47d0000
end_va = 0x480afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "verdana.ttf"
filename = "\\Windows\\Fonts\\verdana.ttf" (normalized: "c:\\windows\\fonts\\verdana.ttf")
Region:
id = 393
start_va = 0x4810000
end_va = 0x4845fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "verdanai.ttf"
filename = "\\Windows\\Fonts\\verdanai.ttf" (normalized: "c:\\windows\\fonts\\verdanai.ttf")
Region:
id = 394
start_va = 0x4960000
end_va = 0x4992fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "verdanab.ttf"
filename = "\\Windows\\Fonts\\verdanab.ttf" (normalized: "c:\\windows\\fonts\\verdanab.ttf")
Region:
id = 395
start_va = 0x49d0000
end_va = 0x4a07fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "verdanaz.ttf"
filename = "\\Windows\\Fonts\\verdanaz.ttf" (normalized: "c:\\windows\\fonts\\verdanaz.ttf")
Region:
id = 396
start_va = 0x690f0000
end_va = 0x69801fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\abad45b9cc652ba7e38c4c837234c0ab\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\abad45b9cc652ba7e38c4c837234c0ab\\system.core.ni.dll")
Region:
id = 397
start_va = 0x6c730000
end_va = 0x6c81efff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.configuration.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\1b51e779650e38bb712f3e535efcf132\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\1b51e779650e38bb712f3e535efcf132\\system.configuration.ni.dll")
Region:
id = 398
start_va = 0x70ce0000
end_va = 0x70e5dfff
monitored = 0
entry_point = 0x70d5c630
region_type = mapped_file
name = "urlmon.dll"
filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll")
Region:
id = 399
start_va = 0x775e0000
end_va = 0x7766cfff
monitored = 0
entry_point = 0x77629b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 400
start_va = 0x72420000
end_va = 0x726eafff
monitored = 0
entry_point = 0x7265c4c0
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll")
Region:
id = 401
start_va = 0x74e20000
end_va = 0x74e63fff
monitored = 0
entry_point = 0x74e27410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 402
start_va = 0x76a90000
end_va = 0x76ac6fff
monitored = 0
entry_point = 0x76a93b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 403
start_va = 0x76e20000
end_va = 0x77318fff
monitored = 0
entry_point = 0x77027610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 404
start_va = 0x77670000
end_va = 0x7767efff
monitored = 0
entry_point = 0x77672e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 405
start_va = 0x21b0000
end_va = 0x21b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000021b0000"
filename = ""
Region:
id = 406
start_va = 0x49a0000
end_va = 0x49a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000049a0000"
filename = ""
Region:
id = 407
start_va = 0x70770000
end_va = 0x70782fff
monitored = 0
entry_point = 0x70779950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 408
start_va = 0x70740000
end_va = 0x7076efff
monitored = 0
entry_point = 0x707595e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 409
start_va = 0x74560000
end_va = 0x7457afff
monitored = 0
entry_point = 0x74569050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 410
start_va = 0x75690000
end_va = 0x76a8efff
monitored = 0
entry_point = 0x7584b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 414
start_va = 0x6600000
end_va = 0x663ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006600000"
filename = ""
Region:
id = 415
start_va = 0x6640000
end_va = 0x673ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006640000"
filename = ""
Region:
id = 416
start_va = 0x6740000
end_va = 0x677ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006740000"
filename = ""
Region:
id = 417
start_va = 0x6780000
end_va = 0x687ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006780000"
filename = ""
Region:
id = 418
start_va = 0x689d0000
end_va = 0x690e5fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.xml.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\1f87b5140145c221b5201351fffc52d8\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\1f87b5140145c221b5201351fffc52d8\\system.xml.ni.dll")
Region:
id = 419
start_va = 0x49b0000
end_va = 0x49bdfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000049b0000"
filename = ""
Region:
id = 420
start_va = 0x4a10000
end_va = 0x4a1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a10000"
filename = ""
Region:
id = 421
start_va = 0x5e430000
end_va = 0x5e4cbfff
monitored = 1
entry_point = 0x5e4be9b2
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 422
start_va = 0x6880000
end_va = 0x691bfff
monitored = 1
entry_point = 0x690e9b2
region_type = mapped_file
name = "microsoft.visualbasic.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_MSIL\\Microsoft.VisualBasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\Microsoft.VisualBasic.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_msil\\microsoft.visualbasic\\v4.0_10.0.0.0__b03f5f7f11d50a3a\\microsoft.visualbasic.dll")
Region:
id = 423
start_va = 0x4a10000
end_va = 0x4a1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a10000"
filename = ""
Region:
id = 424
start_va = 0x4a20000
end_va = 0x4a2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a20000"
filename = ""
Region:
id = 425
start_va = 0x4a20000
end_va = 0x4a2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a20000"
filename = ""
Region:
id = 426
start_va = 0x6920000
end_va = 0x6981fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 427
start_va = 0x4a20000
end_va = 0x4a2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a20000"
filename = ""
Region:
id = 428
start_va = 0x6990000
end_va = 0x6a0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006990000"
filename = ""
Region:
id = 429
start_va = 0x68850000
end_va = 0x689c2fff
monitored = 0
entry_point = 0x688fd220
region_type = mapped_file
name = "windowscodecs.dll"
filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll")
Region:
id = 430
start_va = 0x6a10000
end_va = 0x6a6efff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a10000"
filename = ""
Region:
id = 431
start_va = 0x6a70000
end_va = 0x6a9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a70000"
filename = ""
Region:
id = 432
start_va = 0x6a70000
end_va = 0x6a7ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006a70000"
filename = ""
Region:
id = 433
start_va = 0x6a80000
end_va = 0x6a8ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006a80000"
filename = ""
Region:
id = 434
start_va = 0x6a90000
end_va = 0x6a9ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006a90000"
filename = ""
Region:
id = 435
start_va = 0x6aa0000
end_va = 0x6afefff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006aa0000"
filename = ""
Region:
id = 436
start_va = 0x6b00000
end_va = 0x6b0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b00000"
filename = ""
Region:
id = 437
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 438
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 439
start_va = 0x6b20000
end_va = 0x6b2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b20000"
filename = ""
Region:
id = 440
start_va = 0x6b30000
end_va = 0x6b3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b30000"
filename = ""
Region:
id = 441
start_va = 0x6b40000
end_va = 0x6b4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b40000"
filename = ""
Region:
id = 442
start_va = 0x6b50000
end_va = 0x6b5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b50000"
filename = ""
Region:
id = 443
start_va = 0x6b60000
end_va = 0x6b6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b60000"
filename = ""
Region:
id = 444
start_va = 0x6b70000
end_va = 0x6b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b70000"
filename = ""
Region:
id = 445
start_va = 0x6b80000
end_va = 0x6b8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b80000"
filename = ""
Region:
id = 446
start_va = 0x6b90000
end_va = 0x6b9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b90000"
filename = ""
Region:
id = 447
start_va = 0x6ba0000
end_va = 0x6baffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ba0000"
filename = ""
Region:
id = 448
start_va = 0x6bb0000
end_va = 0x6bbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006bb0000"
filename = ""
Region:
id = 449
start_va = 0x6bc0000
end_va = 0x6bcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006bc0000"
filename = ""
Region:
id = 450
start_va = 0x6bd0000
end_va = 0x6bdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006bd0000"
filename = ""
Region:
id = 451
start_va = 0x6be0000
end_va = 0x6beffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006be0000"
filename = ""
Region:
id = 452
start_va = 0x6bf0000
end_va = 0x6bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006bf0000"
filename = ""
Region:
id = 453
start_va = 0x6c00000
end_va = 0x6c0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c00000"
filename = ""
Region:
id = 454
start_va = 0x6c10000
end_va = 0x6c1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c10000"
filename = ""
Region:
id = 455
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 456
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 457
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 458
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 459
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 460
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 461
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 462
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 463
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 464
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 465
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 466
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 467
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 468
start_va = 0x70900000
end_va = 0x70927fff
monitored = 0
entry_point = 0x70907820
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll")
Region:
id = 469
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 470
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 471
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 472
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 473
start_va = 0x6b10000
end_va = 0x6b1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 474
start_va = 0x687d0000
end_va = 0x68840fff
monitored = 0
entry_point = 0x688269e0
region_type = mapped_file
name = "efswrt.dll"
filename = "\\Windows\\SysWOW64\\efswrt.dll" (normalized: "c:\\windows\\syswow64\\efswrt.dll")
Region:
id = 475
start_va = 0x74490000
end_va = 0x74557fff
monitored = 0
entry_point = 0x744fae90
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\SysWOW64\\WinTypes.dll" (normalized: "c:\\windows\\syswow64\\wintypes.dll")
Region:
id = 476
start_va = 0x68780000
end_va = 0x687c8fff
monitored = 0
entry_point = 0x68786450
region_type = mapped_file
name = "edputil.dll"
filename = "\\Windows\\SysWOW64\\edputil.dll" (normalized: "c:\\windows\\syswow64\\edputil.dll")
Region:
id = 477
start_va = 0x6b10000
end_va = 0x6c0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b10000"
filename = ""
Region:
id = 478
start_va = 0x6c10000
end_va = 0x6c1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c10000"
filename = ""
Region:
id = 479
start_va = 0x6c10000
end_va = 0x6c4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c10000"
filename = ""
Region:
id = 480
start_va = 0x6c50000
end_va = 0x6d4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c50000"
filename = ""
Region:
id = 481
start_va = 0x72850000
end_va = 0x7299afff
monitored = 0
entry_point = 0x728b1660
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll")
Region:
id = 482
start_va = 0x6d50000
end_va = 0x6d8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006d50000"
filename = ""
Region:
id = 483
start_va = 0x6d90000
end_va = 0x6e8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006d90000"
filename = ""
Region:
id = 484
start_va = 0x6e90000
end_va = 0x6e90fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006e90000"
filename = ""
Region:
id = 485
start_va = 0x75220000
end_va = 0x752a3fff
monitored = 0
entry_point = 0x75246220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 486
start_va = 0x741a0000
end_va = 0x743bbfff
monitored = 0
entry_point = 0x7436bc40
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\SysWOW64\\actxprxy.dll" (normalized: "c:\\windows\\syswow64\\actxprxy.dll")
Region:
id = 487
start_va = 0x6ea0000
end_va = 0x6ea0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000006ea0000"
filename = ""
Region:
id = 488
start_va = 0x6eb0000
end_va = 0x6eeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006eb0000"
filename = ""
Region:
id = 489
start_va = 0x6ef0000
end_va = 0x6feffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006ef0000"
filename = ""
Region:
id = 490
start_va = 0x6ff0000
end_va = 0x6ff3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.1.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db")
Region:
id = 491
start_va = 0x7000000
end_va = 0x7012fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db"
filename = "\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x000000000000000a.db" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x000000000000000a.db")
Region:
id = 492
start_va = 0x7020000
end_va = 0x7020fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000007020000"
filename = ""
Region:
id = 493
start_va = 0x6ff0000
end_va = 0x6ff3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 494
start_va = 0x7030000
end_va = 0x7074fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db")
Region:
id = 495
start_va = 0x7080000
end_va = 0x7083fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 496
start_va = 0x7090000
end_va = 0x711dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 497
start_va = 0x7120000
end_va = 0x7121fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000007120000"
filename = ""
Region:
id = 498
start_va = 0x7130000
end_va = 0x7130fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000007130000"
filename = ""
Region:
id = 499
start_va = 0x7140000
end_va = 0x753afff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000007140000"
filename = ""
Region:
id = 500
start_va = 0x7540000
end_va = 0x757ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007540000"
filename = ""
Region:
id = 501
start_va = 0x7580000
end_va = 0x767ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007580000"
filename = ""
Region:
id = 1158
start_va = 0x6a10000
end_va = 0x6a1ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a10000"
filename = ""
Region:
id = 1159
start_va = 0x6a20000
end_va = 0x6a2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a20000"
filename = ""
Region:
id = 1160
start_va = 0x6a30000
end_va = 0x6a3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a30000"
filename = ""
Region:
id = 1161
start_va = 0x6a40000
end_va = 0x6a4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a40000"
filename = ""
Region:
id = 1190
start_va = 0x6a20000
end_va = 0x6a5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a20000"
filename = ""
Region:
id = 1191
start_va = 0x6c10000
end_va = 0x6d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c10000"
filename = ""
Thread:
id = 1
os_tid = 0xda0
[0106.342] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0
[0107.836] RoInitialize () returned 0x1
[0107.836] RoUninitialize () returned 0x0
[0113.389] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", nBufferLength=0x105, lpBuffer=0x19ef18, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.Net\\assembly\\GAC_MSIL\\System.Windows.Forms\\v4.0_4.0.0.0__b77a5c561934e089\\System.Windows.Forms.dll", lpFilePart=0x0) returned 0x77
[0113.430] IsAppThemed () returned 0x1
[0113.438] CoTaskMemAlloc (cb=0xf0) returned 0x835630
[0113.439] CreateActCtxA (pActCtx=0x19f414) returned 0x8346c4
[0113.788] CoTaskMemFree (pv=0x835630)
[0113.829] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLNAME") returned 0xc1da
[0113.830] RegisterClipboardFormatW (lpszFormat="WM_GETCONTROLTYPE") returned 0xc1d4
[0113.919] GetSystemMetrics (nIndex=75) returned 1
[0113.931] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0115.000] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x6c990000
[0115.084] AdjustWindowRectEx (in: lpRect=0x19f468, dwStyle=0x56cf0000, bMenu=0, dwExStyle=0x50001 | out: lpRect=0x19f468) returned 1
[0115.089] GetCurrentProcess () returned 0xffffffff
[0115.089] GetCurrentThread () returned 0xfffffffe
[0115.089] GetCurrentProcess () returned 0xffffffff
[0115.089] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19f380, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19f380*=0x264) returned 1
[0115.093] GetCurrentThreadId () returned 0xda0
[0115.122] GetCurrentActCtx (in: lphActCtx=0x19f2e0 | out: lphActCtx=0x19f2e0*=0x0) returned 1
[0115.122] ActivateActCtx (in: hActCtx=0x8346c4, lpCookie=0x19f2f0 | out: hActCtx=0x8346c4, lpCookie=0x19f2f0) returned 1
[0115.123] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x0
[0116.292] LoadLibraryW (lpLibFileName="comctl32.dll") returned 0x6f4a0000
[0116.313] GetModuleHandleW (lpModuleName="user32.dll") returned 0x750d0000
[0116.313] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x19f1a8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcW ié\x06P\x8b «\x05lhö\x19", lpUsedDefaultChar=0x0) returned 14
[0116.313] GetProcAddress (hModule=0x750d0000, lpProcName="DefWindowProcW") returned 0x748407e0
[0116.315] GetStockObject (i=5) returned 0x1900015
[0116.350] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0116.358] CoTaskMemAlloc (cb=0x5c) returned 0x83b5e8
[0116.358] RegisterClassW (lpWndClass=0x19f198) returned 0xc150
[0116.359] CoTaskMemFree (pv=0x83b5e8)
[0116.359] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0116.360] CreateWindowExW (dwExStyle=0x0, lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", lpWindowName=0x0, dwStyle=0x2010000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0xfffffffd, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x110338
[0116.361] SetWindowLongW (hWnd=0x110338, nIndex=-4, dwNewLong=1954809824) returned 77792702
[0116.363] GetWindowLongW (hWnd=0x110338, nIndex=-4) returned 1954809824
[0116.372] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x19e9f4 | out: phkResult=0x19e9f4*=0x288) returned 0x0
[0116.373] RegQueryValueExW (in: hKey=0x288, lpValueName="DbgJITDebugLaunchSetting", lpReserved=0x0, lpType=0x19ea14, lpData=0x0, lpcbData=0x19ea10*=0x0 | out: lpType=0x19ea14*=0x0, lpData=0x0, lpcbData=0x19ea10*=0x0) returned 0x2
[0116.373] RegQueryValueExW (in: hKey=0x288, lpValueName="DbgManagedDebugger", lpReserved=0x0, lpType=0x19ea14, lpData=0x0, lpcbData=0x19ea10*=0x0 | out: lpType=0x19ea14*=0x0, lpData=0x0, lpcbData=0x19ea10*=0x0) returned 0x2
[0116.373] RegCloseKey (hKey=0x288) returned 0x0
[0116.380] SetWindowLongW (hWnd=0x110338, nIndex=-4, dwNewLong=77792742) returned 1954809824
[0116.380] GetWindowLongW (hWnd=0x110338, nIndex=-4) returned 77792742
[0116.380] GetWindowLongW (hWnd=0x110338, nIndex=-16) returned 113311744
[0116.381] RegisterClipboardFormatW (lpszFormat="WinFormsMouseEnter") returned 0xc1d2
[0116.385] CallWindowProcW (lpPrevWndFunc=0x748407e0, hWnd=0x110338, Msg=0x24, wParam=0x0, lParam=0x19ed0c) returned 0x0
[0116.385] RegisterClipboardFormatW (lpszFormat="WinFormsUnSubclass") returned 0xc1d3
[0116.386] CallWindowProcW (lpPrevWndFunc=0x748407e0, hWnd=0x110338, Msg=0x81, wParam=0x0, lParam=0x19ed00) returned 0x1
[0116.387] CallWindowProcW (lpPrevWndFunc=0x748407e0, hWnd=0x110338, Msg=0x83, wParam=0x0, lParam=0x19ecec) returned 0x0
[0116.668] CallWindowProcW (lpPrevWndFunc=0x748407e0, hWnd=0x110338, Msg=0x1, wParam=0x0, lParam=0x19ed00) returned 0x0
[0116.669] GetClientRect (in: hWnd=0x110338, lpRect=0x19ea2c | out: lpRect=0x19ea2c) returned 1
[0116.669] GetWindowRect (in: hWnd=0x110338, lpRect=0x19ea2c | out: lpRect=0x19ea2c) returned 1
[0116.672] GetParent (hWnd=0x110338) returned 0x0
[0116.672] DeactivateActCtx (dwFlags=0x0, ulCookie=0x173b0001) returned 1
[0117.269] GetSystemDefaultLCID () returned 0x409
[0117.269] GetStockObject (i=17) returned 0x10a0047
[0117.274] GetObjectW (in: h=0x10a0047, c=92, pv=0x19ed8c | out: pv=0x19ed8c) returned 92
[0117.276] GetDC (hWnd=0x0) returned 0xe0106ca
[0117.950] GdiplusStartup (in: token=0x5c6828, input=0x19e350, output=0x19e3a0 | out: token=0x5c6828, output=0x19e3a0) returned 0x0
[0117.958] CoTaskMemAlloc (cb=0x5c) returned 0x83b448
[0118.671] GdipCreateFontFromLogfontW (hdc=0xe0106ca, logfont=0x83b448, font=0x19ee54) returned 0x0
[0121.991] CoTaskMemFree (pv=0x83b448)
[0121.993] CoTaskMemAlloc (cb=0x5c) returned 0x83af68
[0121.993] CoTaskMemFree (pv=0x83af68)
[0121.994] CoTaskMemAlloc (cb=0x5c) returned 0x83ae98
[0121.994] CoTaskMemFree (pv=0x83ae98)
[0121.994] GdipGetFontUnit (font=0x49c1f08, unit=0x19ee20) returned 0x0
[0121.994] GdipGetFontSize (font=0x49c1f08, size=0x19ee24) returned 0x0
[0121.995] GdipGetFontStyle (font=0x49c1f08, style=0x19ee1c) returned 0x0
[0121.995] GdipGetFamily (font=0x49c1f08, family=0x19ee18) returned 0x0
[0121.996] GdipGetFontSize (font=0x49c1f08, size=0x22d8b14) returned 0x0
[0121.996] ReleaseDC (hWnd=0x0, hDC=0xe0106ca) returned 1
[0121.997] GetDC (hWnd=0x0) returned 0xa0100d0
[0121.997] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19ee40) returned 0x0
[0122.225] GdipGetDpiY (graphics=0x5b4f268, dpi=0x22d8c1c) returned 0x0
[0122.225] GdipGetFontHeight (font=0x49c1f08, graphics=0x5b4f268, height=0x19ee38) returned 0x0
[0122.226] GdipGetEmHeight (family=0x5b45758, style=0, EmHeight=0x19ee40) returned 0x0
[0122.226] GdipGetLineSpacing (family=0x5b45758, style=0, LineSpacing=0x19ee40) returned 0x0
[0122.226] GdipDeleteGraphics (graphics=0x5b4f268) returned 0x0
[0122.234] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0122.235] GdipCreateFont (fontFamily=0x5b45758, emSize=0x41040000, style=0, unit=0x3, font=0x22d8bdc) returned 0x0
[0122.235] GdipGetFontSize (font=0x49cefc0, size=0x22d8be0) returned 0x0
[0122.235] GdipDeleteFont (font=0x49c1f08) returned 0x0
[0122.235] GetDC (hWnd=0x0) returned 0xa0100d0
[0122.236] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19eea4) returned 0x0
[0122.236] GdipGetFontHeight (font=0x49cefc0, graphics=0x5b4f268, height=0x19ee9c) returned 0x0
[0122.236] GdipDeleteGraphics (graphics=0x5b4f268) returned 0x0
[0122.236] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0122.246] GetSystemMetrics (nIndex=5) returned 1
[0122.246] GetSystemMetrics (nIndex=6) returned 1
[0122.247] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.248] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x560101c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19efcc) returned 1
[0122.248] GetDC (hWnd=0x0) returned 0xa0100d0
[0122.248] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19eea4) returned 0x0
[0122.249] GdipGetFontHeight (font=0x49cefc0, graphics=0x5b4f268, height=0x19ee9c) returned 0x0
[0122.249] GdipDeleteGraphics (graphics=0x5b4f268) returned 0x0
[0122.249] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0122.249] GetSystemMetrics (nIndex=5) returned 1
[0122.249] GetSystemMetrics (nIndex=6) returned 1
[0122.249] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.250] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x560101c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19efcc) returned 1
[0122.250] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.250] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.250] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.251] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.251] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.251] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.251] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.251] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.251] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.251] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.251] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.252] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.252] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.252] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.252] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.252] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.253] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.253] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.254] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.255] AdjustWindowRectEx (in: lpRect=0x19efd0, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efd0) returned 1
[0122.255] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.255] AdjustWindowRectEx (in: lpRect=0x19efd0, dwStyle=0x5601008d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efd0) returned 1
[0122.283] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.284] AdjustWindowRectEx (in: lpRect=0x19efb4, dwStyle=0x56010000, bMenu=0, dwExStyle=0x10000 | out: lpRect=0x19efb4) returned 1
[0122.284] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0122.284] AdjustWindowRectEx (in: lpRect=0x19efcc, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19efcc) returned 1
[0122.438] GetProcessWindowStation () returned 0xf0
[0122.480] GetUserObjectInformationA (in: hObj=0xf0, nIndex=1, pvInfo=0x22da9c8, nLength=0xc, lpnLengthNeeded=0x19ef00 | out: pvInfo=0x22da9c8, lpnLengthNeeded=0x19ef00) returned 1
[0122.519] SetConsoleCtrlHandler (HandlerRoutine=0x4a3060e, Add=1) returned 1
[0122.520] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0122.521] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0122.523] GetClassInfoW (in: hInstance=0x400000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWndClass=0x22daa2c | out: lpWndClass=0x22daa2c) returned 0
[0122.525] CoTaskMemAlloc (cb=0x58) returned 0x838018
[0122.525] RegisterClassW (lpWndClass=0x19ee50) returned 0xc1db
[0122.529] CoTaskMemFree (pv=0x838018)
[0122.530] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.141b42a.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x20370
[0122.535] NtdllDefWindowProc_W (hWnd=0x20370, Msg=0x81, wParam=0x0, lParam=0x19e990) returned 0x1
[0122.578] NtdllDefWindowProc_W (hWnd=0x20370, Msg=0x83, wParam=0x0, lParam=0x19e97c) returned 0x0
[0122.578] NtdllDefWindowProc_W (hWnd=0x20370, Msg=0x1, wParam=0x0, lParam=0x19e990) returned 0x0
[0122.579] NtdllDefWindowProc_W (hWnd=0x20370, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0
[0122.579] NtdllDefWindowProc_W (hWnd=0x20370, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0
[0122.783] GetSysColor (nIndex=10) returned 0xb4b4b4
[0122.783] GetSysColor (nIndex=2) returned 0xd1b499
[0122.783] GetSysColor (nIndex=9) returned 0x0
[0122.783] GetSysColor (nIndex=12) returned 0xababab
[0122.783] GetSysColor (nIndex=15) returned 0xf0f0f0
[0122.783] GetSysColor (nIndex=20) returned 0xffffff
[0122.783] GetSysColor (nIndex=16) returned 0xa0a0a0
[0122.783] GetSysColor (nIndex=15) returned 0xf0f0f0
[0122.783] GetSysColor (nIndex=16) returned 0xa0a0a0
[0122.784] GetSysColor (nIndex=21) returned 0x696969
[0122.784] GetSysColor (nIndex=22) returned 0xe3e3e3
[0122.784] GetSysColor (nIndex=20) returned 0xffffff
[0122.784] GetSysColor (nIndex=18) returned 0x0
[0122.784] GetSysColor (nIndex=1) returned 0x0
[0122.784] GetSysColor (nIndex=27) returned 0xead1b9
[0122.784] GetSysColor (nIndex=28) returned 0xf2e4d7
[0122.784] GetSysColor (nIndex=17) returned 0x6d6d6d
[0122.784] GetSysColor (nIndex=13) returned 0xff9933
[0122.784] GetSysColor (nIndex=14) returned 0xffffff
[0122.784] GetSysColor (nIndex=26) returned 0xcc6600
[0122.784] GetSysColor (nIndex=11) returned 0xfcf7f4
[0122.784] GetSysColor (nIndex=3) returned 0xdbcdbf
[0122.784] GetSysColor (nIndex=19) returned 0x0
[0122.784] GetSysColor (nIndex=24) returned 0xe1ffff
[0122.784] GetSysColor (nIndex=23) returned 0x0
[0122.784] GetSysColor (nIndex=4) returned 0xf0f0f0
[0122.784] GetSysColor (nIndex=30) returned 0xf0f0f0
[0122.784] GetSysColor (nIndex=29) returned 0xff9933
[0122.784] GetSysColor (nIndex=7) returned 0x0
[0122.784] GetSysColor (nIndex=0) returned 0xc8c8c8
[0122.785] GetSysColor (nIndex=5) returned 0xffffff
[0122.785] GetSysColor (nIndex=6) returned 0x646464
[0122.785] GetSysColor (nIndex=8) returned 0x0
[0123.028] IsAppThemed () returned 0x1
[0123.028] GetThemeAppProperties () returned 0x3
[0123.028] GetThemeAppProperties () returned 0x3
[0123.029] OpenThemeData () returned 0x20002
[0123.029] GetSystemMetrics (nIndex=5) returned 1
[0123.029] GetSystemMetrics (nIndex=6) returned 1
[0123.030] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0123.030] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x417c0000, style=1, unit=0x3, font=0x22db290) returned 0x0
[0123.939] GdipGetFontSize (font=0x49c1f08, size=0x22db294) returned 0x0
[0124.012] GetDC (hWnd=0x0) returned 0xa0100d0
[0124.012] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19ef6c) returned 0x0
[0124.013] GdipGetFontHeight (font=0x49c1f08, graphics=0x5b4f3b8, height=0x19ef64) returned 0x0
[0124.013] GdipDeleteGraphics (graphics=0x5b4f3b8) returned 0x0
[0124.013] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0124.018] GetDC (hWnd=0x0) returned 0xa0100d0
[0124.018] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19eefc) returned 0x0
[0124.019] GdipGetFontHeight (font=0x49c1f08, graphics=0x5b4f3b8, height=0x19eef4) returned 0x0
[0124.019] GdipDeleteGraphics (graphics=0x5b4f3b8) returned 0x0
[0124.019] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0124.020] GetSystemMetrics (nIndex=5) returned 1
[0124.020] GetSystemMetrics (nIndex=6) returned 1
[0124.020] GetSystemMetrics (nIndex=5) returned 1
[0124.020] GetSystemMetrics (nIndex=6) returned 1
[0124.021] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.021] AdjustWindowRectEx (in: lpRect=0x19eec0, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19eec0) returned 1
[0124.021] GetSystemMetrics (nIndex=5) returned 1
[0124.021] GetSystemMetrics (nIndex=6) returned 1
[0124.021] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.022] AdjustWindowRectEx (in: lpRect=0x19ef30, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19ef30) returned 1
[0124.022] GetSystemMetrics (nIndex=5) returned 1
[0124.022] GetSystemMetrics (nIndex=6) returned 1
[0124.022] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.022] AdjustWindowRectEx (in: lpRect=0x19ef30, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19ef30) returned 1
[0124.023] IsAppThemed () returned 0x1
[0124.023] GetThemeAppProperties () returned 0x3
[0124.023] GetThemeAppProperties () returned 0x3
[0124.023] GetSystemMetrics (nIndex=5) returned 1
[0124.023] GetSystemMetrics (nIndex=6) returned 1
[0124.023] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.024] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x417c0000, style=1, unit=0x3, font=0x22db634) returned 0x0
[0124.024] GdipGetFontSize (font=0x5b4b080, size=0x22db638) returned 0x0
[0124.024] GetDC (hWnd=0x0) returned 0xa0100d0
[0124.025] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19ef6c) returned 0x0
[0124.025] GdipGetFontHeight (font=0x5b4b080, graphics=0x5b4f3b8, height=0x19ef64) returned 0x0
[0124.025] GdipDeleteGraphics (graphics=0x5b4f3b8) returned 0x0
[0124.025] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0124.025] GetDC (hWnd=0x0) returned 0xa0100d0
[0124.026] GdipCreateFromHDC (hdc=0xa0100d0, graphics=0x19eefc) returned 0x0
[0124.026] GdipGetFontHeight (font=0x5b4b080, graphics=0x5b4f3b8, height=0x19eef4) returned 0x0
[0124.026] GdipDeleteGraphics (graphics=0x5b4f3b8) returned 0x0
[0124.026] ReleaseDC (hWnd=0x0, hDC=0xa0100d0) returned 1
[0124.026] GetSystemMetrics (nIndex=5) returned 1
[0124.026] GetSystemMetrics (nIndex=6) returned 1
[0124.026] GetSystemMetrics (nIndex=5) returned 1
[0124.026] GetSystemMetrics (nIndex=6) returned 1
[0124.026] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.027] AdjustWindowRectEx (in: lpRect=0x19eec0, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19eec0) returned 1
[0124.027] GetSystemMetrics (nIndex=5) returned 1
[0124.027] GetSystemMetrics (nIndex=6) returned 1
[0124.027] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.032] AdjustWindowRectEx (in: lpRect=0x19ef30, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19ef30) returned 1
[0124.032] GetSystemMetrics (nIndex=5) returned 1
[0124.032] GetSystemMetrics (nIndex=6) returned 1
[0124.032] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.032] AdjustWindowRectEx (in: lpRect=0x19ef30, dwStyle=0x560100c0, bMenu=0, dwExStyle=0x200 | out: lpRect=0x19ef30) returned 1
[0124.126] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.126] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22db910) returned 0x0
[0124.126] GdipGetFontSize (font=0x5b4f3b8, size=0x22db914) returned 0x0
[0124.264] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.265] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.265] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.265] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.266] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.266] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dbbc8) returned 0x0
[0124.266] GdipGetFontSize (font=0x5b4f3e0, size=0x22dbbcc) returned 0x0
[0124.266] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.267] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.267] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.267] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.267] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.267] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dbe80) returned 0x0
[0124.267] GdipGetFontSize (font=0x5b4f408, size=0x22dbe84) returned 0x0
[0124.267] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.267] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.268] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.268] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.268] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.268] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dc138) returned 0x0
[0124.268] GdipGetFontSize (font=0x5b4f430, size=0x22dc13c) returned 0x0
[0124.268] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.268] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.269] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.269] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.269] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.269] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dc3f0) returned 0x0
[0124.269] GdipGetFontSize (font=0x5b4f458, size=0x22dc3f4) returned 0x0
[0124.269] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.269] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.270] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.270] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.270] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.270] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dc6a8) returned 0x0
[0124.270] GdipGetFontSize (font=0x5b4f480, size=0x22dc6ac) returned 0x0
[0124.270] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.270] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.270] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.270] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.270] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.271] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dc960) returned 0x0
[0124.271] GdipGetFontSize (font=0x5b4f4a8, size=0x22dc964) returned 0x0
[0124.271] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.271] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.271] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.271] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.271] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.271] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dcc18) returned 0x0
[0124.271] GdipGetFontSize (font=0x5b4f4d0, size=0x22dcc1c) returned 0x0
[0124.272] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.272] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.272] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.272] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.272] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.272] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dce54) returned 0x0
[0124.272] GdipGetFontSize (font=0x5b4f4f8, size=0x22dce58) returned 0x0
[0124.272] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.272] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.272] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.273] AdjustWindowRectEx (in: lpRect=0x19ef5c, dwStyle=0x5601000b, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef5c) returned 1
[0124.375] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.375] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dd044) returned 0x0
[0124.375] GdipGetFontSize (font=0x5b4f520, size=0x22dd048) returned 0x0
[0124.376] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.376] AdjustWindowRectEx (in: lpRect=0x19ef30, dwStyle=0x5680000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef30) returned 1
[0124.376] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.377] AdjustWindowRectEx (in: lpRect=0x19ef30, dwStyle=0x5680000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef30) returned 1
[0124.386] GdipCreateFontFamilyFromName (name="Verdana", fontCollection=0x0, fontFamily=0x19efac) returned 0x0
[0124.387] GdipCreateFont (fontFamily=0x5b49a10, emSize=0x41640000, style=0, unit=0x3, font=0x22dd25c) returned 0x0
[0124.387] GdipGetFontSize (font=0x5b4f548, size=0x22dd260) returned 0x0
[0124.387] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.388] AdjustWindowRectEx (in: lpRect=0x19ef30, dwStyle=0x5680000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef30) returned 1
[0124.388] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x6c990000
[0124.388] AdjustWindowRectEx (in: lpRect=0x19ef30, dwStyle=0x5680000d, bMenu=0, dwExStyle=0x0 | out: lpRect=0x19ef30) returned 1
[0124.395] GetCurrentThreadId () returned 0xda0
[0124.395] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0124.396] GetCurrentThreadId () returned 0xda0
[0128.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", nBufferLength=0x105, lpBuffer=0x19e904, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", lpFilePart=0x0) returned 0x69
[0128.151] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", nBufferLength=0x105, lpBuffer=0x19e8ac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", lpFilePart=0x0) returned 0x69
[0136.335] CoTaskMemAlloc (cb=0x20c) returned 0x854900
[0136.335] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x854900 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0
[0136.338] CoTaskMemFree (pv=0x854900)
[0136.338] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x19e8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25
[0136.339] CoTaskMemAlloc (cb=0x20c) returned 0x854900
[0136.339] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x854900 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0
[0136.341] CoTaskMemFree (pv=0x854900)
[0136.341] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x19e8a0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23
[0136.348] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0xc3846c0e, Data2=0x5086, Data3=0x4505, Data4=([0]=0xb7, [1]=0x92, [2]=0x3a, [3]=0x45, [4]=0xb5, [5]=0xd, [6]=0xd9, [7]=0x4e))) returned 0x0
[0136.348] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0x6b714c9a, Data2=0xe195, Data3=0x4c1c, Data4=([0]=0xbf, [1]=0xc6, [2]=0x90, [3]=0xde, [4]=0x6e, [5]=0xdf, [6]=0x99, [7]=0x90))) returned 0x0
[0136.351] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0x5df707b4, Data2=0xadca, Data3=0x483f, Data4=([0]=0x8e, [1]=0x99, [2]=0x4e, [3]=0xdc, [4]=0xe7, [5]=0x3a, [6]=0xa7, [7]=0xd9))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0x10ab9a28, Data2=0xecee, Data3=0x4b81, Data4=([0]=0x97, [1]=0xad, [2]=0xa2, [3]=0x95, [4]=0xa6, [5]=0xb1, [6]=0xdc, [7]=0x7))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0x5f23e77e, Data2=0xa409, Data3=0x4150, Data4=([0]=0xb4, [1]=0x4b, [2]=0x8f, [3]=0xd7, [4]=0x15, [5]=0x46, [6]=0x6a, [7]=0xc3))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0x6483588f, Data2=0xe2e5, Data3=0x4747, Data4=([0]=0xa9, [1]=0xfd, [2]=0xec, [3]=0xb8, [4]=0x81, [5]=0x7a, [6]=0x4a, [7]=0x8b))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0xa1683c8b, Data2=0xf0d3, Data3=0x48c2, Data4=([0]=0x9b, [1]=0xe0, [2]=0x55, [3]=0xfc, [4]=0x59, [5]=0x40, [6]=0xa6, [7]=0x35))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0xca550ad6, Data2=0x5eb4, Data3=0x4d47, Data4=([0]=0x83, [1]=0xc8, [2]=0xf6, [3]=0xf0, [4]=0x4f, [5]=0xff, [6]=0x4c, [7]=0x8))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0xa623d839, Data2=0x5cd, Data3=0x4c5a, Data4=([0]=0x85, [1]=0x33, [2]=0x8d, [3]=0xe6, [4]=0x21, [5]=0x41, [6]=0x1e, [7]=0x15))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0x623c2d88, Data2=0xe334, Data3=0x4ad8, Data4=([0]=0xb1, [1]=0x23, [2]=0xf7, [3]=0x9e, [4]=0x12, [5]=0x48, [6]=0x53, [7]=0x73))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0xb989217a, Data2=0x4973, Data3=0x4693, Data4=([0]=0xbc, [1]=0x83, [2]=0xe7, [3]=0x8, [4]=0xc6, [5]=0x11, [6]=0xe0, [7]=0x38))) returned 0x0
[0136.352] CoCreateGuid (in: pguid=0x19e65c | out: pguid=0x19e65c*(Data1=0x1c85f202, Data2=0x11c1, Data3=0x42f3, Data4=([0]=0x8d, [1]=0xb4, [2]=0x4d, [3]=0x23, [4]=0x7b, [5]=0x27, [6]=0xb9, [7]=0x30))) returned 0x0
[0136.356] CoCreateGuid (in: pguid=0x19e780 | out: pguid=0x19e780*(Data1=0x26f23671, Data2=0xabfc, Data3=0x42af, Data4=([0]=0xa8, [1]=0x46, [2]=0x87, [3]=0xa1, [4]=0x49, [5]=0x73, [6]=0x52, [7]=0x90))) returned 0x0
[0136.356] CoCreateGuid (in: pguid=0x19e780 | out: pguid=0x19e780*(Data1=0xa2dd485b, Data2=0xaee8, Data3=0x46ff, Data4=([0]=0x9e, [1]=0x93, [2]=0x4b, [3]=0x47, [4]=0x0, [5]=0x86, [6]=0x90, [7]=0x9a))) returned 0x0
[0136.356] CoCreateGuid (in: pguid=0x19e780 | out: pguid=0x19e780*(Data1=0x1ae25a4b, Data2=0x3d37, Data3=0x4f64, Data4=([0]=0xb5, [1]=0x1a, [2]=0x92, [3]=0x5d, [4]=0x19, [5]=0x41, [6]=0x5, [7]=0x5))) returned 0x0
[0137.306] GetCurrentProcess () returned 0xffffffff
[0137.306] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ebe0 | out: TokenHandle=0x19ebe0*=0x214) returned 1
[0137.313] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x19e6bc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e
[0137.315] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19ebe0 | out: lpFileInformation=0x19ebe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1
[0137.316] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19e688, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43
[0137.317] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19ebe0 | out: lpFileInformation=0x19ebe0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1
[0137.318] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19e618, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43
[0137.319] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19eb0c) returned 1
[0137.319] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3cc
[0137.320] GetFileType (hFile=0x3cc) returned 0x1
[0137.320] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19eb08) returned 1
[0137.320] GetFileType (hFile=0x3cc) returned 0x1
[0137.359] GetFileSize (in: hFile=0x3cc, lpFileSizeHigh=0x19ebd4 | out: lpFileSizeHigh=0x19ebd4*=0x0) returned 0x8c8f
[0137.360] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19eb90, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19eb90*=0x1000, lpOverlapped=0x0) returned 1
[0137.522] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ea2c, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19ea2c*=0x1000, lpOverlapped=0x0) returned 1
[0137.532] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e8e0, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19e8e0*=0x1000, lpOverlapped=0x0) returned 1
[0137.533] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e8e0, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19e8e0*=0x1000, lpOverlapped=0x0) returned 1
[0137.534] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e8e0, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19e8e0*=0x1000, lpOverlapped=0x0) returned 1
[0137.534] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e818, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19e818*=0x1000, lpOverlapped=0x0) returned 1
[0137.538] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e994, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19e994*=0x1000, lpOverlapped=0x0) returned 1
[0137.540] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e8a8, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19e8a8*=0x1000, lpOverlapped=0x0) returned 1
[0137.540] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e8a8, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19e8a8*=0xc8f, lpOverlapped=0x0) returned 1
[0137.541] ReadFile (in: hFile=0x3cc, lpBuffer=0x23648c8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e968, lpOverlapped=0x0 | out: lpBuffer=0x23648c8*, lpNumberOfBytesRead=0x19e968*=0x0, lpOverlapped=0x0) returned 1
[0137.541] CloseHandle (hObject=0x3cc) returned 1
[0137.543] GetCurrentProcess () returned 0xffffffff
[0137.543] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ed08 | out: TokenHandle=0x19ed08*=0x3cc) returned 1
[0137.543] GetCurrentProcess () returned 0xffffffff
[0137.543] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ed08 | out: TokenHandle=0x19ed08*=0x3d0) returned 1
[0137.545] GetCurrentProcess () returned 0xffffffff
[0137.545] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ebe0 | out: TokenHandle=0x19ebe0*=0x3d4) returned 1
[0137.545] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19ebe0 | out: lpFileInformation=0x19ebe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.545] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", nBufferLength=0x105, lpBuffer=0x19e688, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", lpFilePart=0x0) returned 0x69
[0137.546] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19ebe0 | out: lpFileInformation=0x19ebe0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.546] GetCurrentProcess () returned 0xffffffff
[0137.546] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ed08 | out: TokenHandle=0x19ed08*=0x3d8) returned 1
[0137.547] GetCurrentProcess () returned 0xffffffff
[0137.547] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ed08 | out: TokenHandle=0x19ed08*=0x3dc) returned 1
[0137.551] GetCurrentProcess () returned 0xffffffff
[0137.551] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ed0c | out: TokenHandle=0x19ed0c*=0x3e0) returned 1
[0137.551] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19e7b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43
[0137.551] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19ed0c | out: lpFileInformation=0x19ed0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1
[0137.552] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19e744, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43
[0137.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19ec38) returned 1
[0137.552] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x3e4
[0137.552] GetFileType (hFile=0x3e4) returned 0x1
[0137.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19ec34) returned 1
[0137.552] GetFileType (hFile=0x3e4) returned 0x1
[0137.553] GetFileSize (in: hFile=0x3e4, lpFileSizeHigh=0x19ed00 | out: lpFileSizeHigh=0x19ed00*=0x0) returned 0x8c8f
[0137.554] ReadFile (in: hFile=0x3e4, lpBuffer=0x237d328, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ecbc, lpOverlapped=0x0 | out: lpBuffer=0x237d328*, lpNumberOfBytesRead=0x19ecbc*=0x1000, lpOverlapped=0x0) returned 1
[0137.554] ReadFile (in: hFile=0x3e4, lpBuffer=0x237d328, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19eb58, lpOverlapped=0x0 | out: lpBuffer=0x237d328*, lpNumberOfBytesRead=0x19eb58*=0x1000, lpOverlapped=0x0) returned 1
[0137.555] ReadFile (in: hFile=0x3e4, lpBuffer=0x237d328, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ea0c, lpOverlapped=0x0 | out: lpBuffer=0x237d328*, lpNumberOfBytesRead=0x19ea0c*=0x1000, lpOverlapped=0x0) returned 1
[0137.555] ReadFile (in: hFile=0x3e4, lpBuffer=0x237d328, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ea0c, lpOverlapped=0x0 | out: lpBuffer=0x237d328*, lpNumberOfBytesRead=0x19ea0c*=0x1000, lpOverlapped=0x0) returned 1
[0137.555] ReadFile (in: hFile=0x3e4, lpBuffer=0x237d328, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ea0c, lpOverlapped=0x0 | out: lpBuffer=0x237d328*, lpNumberOfBytesRead=0x19ea0c*=0x1000, lpOverlapped=0x0) returned 1
[0137.556] ReadFile (in: hFile=0x3e4, lpBuffer=0x237d328, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e944, lpOverlapped=0x0 | out: lpBuffer=0x237d328*, lpNumberOfBytesRead=0x19e944*=0x1000, lpOverlapped=0x0) returned 1
[0137.556] CloseHandle (hObject=0x3e4) returned 1
[0137.557] GetCurrentProcess () returned 0xffffffff
[0137.557] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ecc8 | out: TokenHandle=0x19ecc8*=0x3e4) returned 1
[0137.557] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", nBufferLength=0x105, lpBuffer=0x19e770, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", lpFilePart=0x0) returned 0x69
[0137.557] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19ecc8 | out: lpFileInformation=0x19ecc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.558] GetCurrentProcess () returned 0xffffffff
[0137.558] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ec84 | out: TokenHandle=0x19ec84*=0x3e8) returned 1
[0137.558] GetCurrentProcess () returned 0xffffffff
[0137.558] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ec40 | out: TokenHandle=0x19ec40*=0x3ec) returned 1
[0137.560] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", nBufferLength=0x105, lpBuffer=0x19e7f4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", lpFilePart=0x0) returned 0x69
[0137.560] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", nBufferLength=0x105, lpBuffer=0x19e79c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", lpFilePart=0x0) returned 0x69
[0137.640] CoTaskMemAlloc (cb=0x20c) returned 0x85ea08
[0137.640] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x85ea08 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0
[0137.640] CoTaskMemFree (pv=0x85ea08)
[0137.640] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x19e790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25
[0137.640] CoTaskMemAlloc (cb=0x20c) returned 0x85ea08
[0137.640] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x85ea08 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local") returned 0x0
[0137.641] CoTaskMemFree (pv=0x85ea08)
[0137.641] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x19e790, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local", lpFilePart=0x0) returned 0x23
[0137.642] GetCurrentProcess () returned 0xffffffff
[0137.642] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ec2c | out: TokenHandle=0x19ec2c*=0x3f0) returned 1
[0137.643] GetCurrentProcess () returned 0xffffffff
[0137.643] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ec2c | out: TokenHandle=0x19ec2c*=0x3f4) returned 1
[0137.643] GetCurrentProcess () returned 0xffffffff
[0137.643] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19eb04 | out: TokenHandle=0x19eb04*=0x3f8) returned 1
[0137.644] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\honda\\35147128936c2e79548e5c0a2_url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x19eb04 | out: lpFileInformation=0x19eb04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.644] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config", nBufferLength=0x105, lpBuffer=0x19e5ac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config", lpFilePart=0x0) returned 0x7f
[0137.645] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\honda\\35147128936c2e79548e5c0a2_url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x19eb04 | out: lpFileInformation=0x19eb04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.645] GetCurrentProcess () returned 0xffffffff
[0137.645] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ec2c | out: TokenHandle=0x19ec2c*=0x3fc) returned 1
[0137.646] GetCurrentProcess () returned 0xffffffff
[0137.646] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19eb04 | out: TokenHandle=0x19eb04*=0x404) returned 1
[0137.646] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\honda\\35147128936c2e79548e5c0a2_url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x19eb04 | out: lpFileInformation=0x19eb04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.647] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config", nBufferLength=0x105, lpBuffer=0x19e5ac, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config", lpFilePart=0x0) returned 0x7d
[0137.647] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\honda\\35147128936c2e79548e5c0a2_url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x19eb04 | out: lpFileInformation=0x19eb04*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.648] GetCurrentProcess () returned 0xffffffff
[0137.648] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ed0c | out: TokenHandle=0x19ed0c*=0x408) returned 1
[0137.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19e7b4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43
[0137.649] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x19ed0c | out: lpFileInformation=0x19ed0c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x56a29ff, ftCreationTime.dwHighDateTime=0x1d112e4, ftLastAccessTime.dwLowDateTime=0x97df7583, ftLastAccessTime.dwHighDateTime=0x1d112e3, ftLastWriteTime.dwLowDateTime=0x97df7583, ftLastWriteTime.dwHighDateTime=0x1d112e3, nFileSizeHigh=0x0, nFileSizeLow=0x8c8f)) returned 1
[0137.649] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x19e744, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43
[0137.649] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19ec38) returned 1
[0137.649] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x40c
[0137.649] GetFileType (hFile=0x40c) returned 0x1
[0137.650] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19ec34) returned 1
[0137.650] GetFileType (hFile=0x40c) returned 0x1
[0137.650] GetFileSize (in: hFile=0x40c, lpFileSizeHigh=0x19ed00 | out: lpFileSizeHigh=0x19ed00*=0x0) returned 0x8c8f
[0137.650] ReadFile (in: hFile=0x40c, lpBuffer=0x23956b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ecbc, lpOverlapped=0x0 | out: lpBuffer=0x23956b0*, lpNumberOfBytesRead=0x19ecbc*=0x1000, lpOverlapped=0x0) returned 1
[0137.651] ReadFile (in: hFile=0x40c, lpBuffer=0x23956b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19eb58, lpOverlapped=0x0 | out: lpBuffer=0x23956b0*, lpNumberOfBytesRead=0x19eb58*=0x1000, lpOverlapped=0x0) returned 1
[0137.651] ReadFile (in: hFile=0x40c, lpBuffer=0x23956b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ea0c, lpOverlapped=0x0 | out: lpBuffer=0x23956b0*, lpNumberOfBytesRead=0x19ea0c*=0x1000, lpOverlapped=0x0) returned 1
[0137.651] ReadFile (in: hFile=0x40c, lpBuffer=0x23956b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ea0c, lpOverlapped=0x0 | out: lpBuffer=0x23956b0*, lpNumberOfBytesRead=0x19ea0c*=0x1000, lpOverlapped=0x0) returned 1
[0137.652] ReadFile (in: hFile=0x40c, lpBuffer=0x23956b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19ea0c, lpOverlapped=0x0 | out: lpBuffer=0x23956b0*, lpNumberOfBytesRead=0x19ea0c*=0x1000, lpOverlapped=0x0) returned 1
[0137.653] ReadFile (in: hFile=0x40c, lpBuffer=0x23956b0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x19e944, lpOverlapped=0x0 | out: lpBuffer=0x23956b0*, lpNumberOfBytesRead=0x19e944*=0x1000, lpOverlapped=0x0) returned 1
[0137.713] CloseHandle (hObject=0x40c) returned 1
[0137.714] GetCurrentProcess () returned 0xffffffff
[0137.714] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ecc8 | out: TokenHandle=0x19ecc8*=0x40c) returned 1
[0137.714] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", nBufferLength=0x105, lpBuffer=0x19e770, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", lpFilePart=0x0) returned 0x69
[0137.715] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19ecc8 | out: lpFileInformation=0x19ecc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.715] GetCurrentProcess () returned 0xffffffff
[0137.716] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ec84 | out: TokenHandle=0x19ec84*=0x410) returned 1
[0137.716] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config", nBufferLength=0x105, lpBuffer=0x19e72c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config", lpFilePart=0x0) returned 0x7f
[0137.716] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\honda\\35147128936c2e79548e5c0a2_url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x19ec84 | out: lpFileInformation=0x19ec84*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.716] GetCurrentProcess () returned 0xffffffff
[0137.717] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ec40 | out: TokenHandle=0x19ec40*=0x414) returned 1
[0137.717] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config", nBufferLength=0x105, lpBuffer=0x19e6e8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config", lpFilePart=0x0) returned 0x7d
[0137.717] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Honda\\35147128936c2e79548e5c0a2_Url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\honda\\35147128936c2e79548e5c0a2_url_42zafj2lpxfbh2ahd0lrlhbdwhiagxdp\\12.1.9.0\\user.config"), fInfoLevelId=0x0, lpFileInformation=0x19ec40 | out: lpFileInformation=0x19ec40*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0137.970] GetCurrentProcess () returned 0xffffffff
[0137.970] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19eaec | out: TokenHandle=0x19eaec*=0x418) returned 1
[0137.978] GetCurrentProcess () returned 0xffffffff
[0137.978] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ea28 | out: TokenHandle=0x19ea28*=0x41c) returned 1
[0137.994] GetCurrentProcess () returned 0xffffffff
[0137.994] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19ea74 | out: TokenHandle=0x19ea74*=0x420) returned 1
[0138.549] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xdc00, lpName=0x0) returned 0x414
[0138.551] CloseHandle (hObject=0x414) returned 1
[0174.659] EtwEventRegister (in: ProviderId=0x2357a88, EnableCallback=0x4a3065e, CallbackContext=0x0, RegHandle=0x2357a64 | out: RegHandle=0x2357a64) returned 0x0
[0174.663] EtwEventSetInformation (RegHandle=0x853488, InformationClass=0x4c, EventInformation=0x2, InformationLength=0x2357a28) returned 0x0
[0174.670] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", nBufferLength=0x105, lpBuffer=0x19e408, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config", lpFilePart=0x0) returned 0x69
[0174.670] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e89c) returned 1
[0174.670] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x19e918 | out: lpFileInformation=0x19e918*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0174.671] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e898) returned 1
[0175.624] GdipImageForceValidation (image=0x5b4f570) returned 0x0
[0175.642] GdipGetImageType (image=0x5b4f570, type=0x19e58c) returned 0x0
[0175.642] GdipGetImageRawFormat (image=0x5b4f570, format=0x19e50c*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0))) returned 0x0
[0175.660] GdipGetImageWidth (image=0x5b4f570, width=0x19eb54) returned 0x0
[0175.701] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.702] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.702] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=0, color=0x19eb40) returned 0x0
[0175.707] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.707] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.707] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=1, color=0x19eb40) returned 0x0
[0175.707] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.707] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.708] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=2, color=0x19eb40) returned 0x0
[0175.708] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.708] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.708] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=3, color=0x19eb40) returned 0x0
[0175.708] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.708] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.708] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=4, color=0x19eb40) returned 0x0
[0175.708] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.708] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.708] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=5, color=0x19eb40) returned 0x0
[0175.709] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.709] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.709] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=6, color=0x19eb40) returned 0x0
[0175.709] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.709] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.709] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=7, color=0x19eb40) returned 0x0
[0175.709] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.709] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.709] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=8, color=0x19eb40) returned 0x0
[0175.709] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.709] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.710] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=9, color=0x19eb40) returned 0x0
[0175.710] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.710] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.710] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=10, color=0x19eb40) returned 0x0
[0175.710] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.710] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.710] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=11, color=0x19eb40) returned 0x0
[0175.711] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.711] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.711] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=12, color=0x19eb40) returned 0x0
[0175.711] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.711] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.711] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=13, color=0x19eb40) returned 0x0
[0175.711] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.711] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.711] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=14, color=0x19eb40) returned 0x0
[0175.711] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.711] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.711] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=15, color=0x19eb40) returned 0x0
[0175.711] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.711] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.712] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=16, color=0x19eb40) returned 0x0
[0175.712] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.712] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.712] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=17, color=0x19eb40) returned 0x0
[0175.712] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.712] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.712] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=18, color=0x19eb40) returned 0x0
[0175.713] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.713] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.713] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=19, color=0x19eb40) returned 0x0
[0175.713] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.713] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.713] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=20, color=0x19eb40) returned 0x0
[0175.713] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.713] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.713] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=21, color=0x19eb40) returned 0x0
[0175.713] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.713] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.713] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=22, color=0x19eb40) returned 0x0
[0175.713] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.713] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.714] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=23, color=0x19eb40) returned 0x0
[0175.714] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.714] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.714] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=24, color=0x19eb40) returned 0x0
[0175.714] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.714] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.714] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=25, color=0x19eb40) returned 0x0
[0175.714] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.714] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.714] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=26, color=0x19eb40) returned 0x0
[0175.714] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.714] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.714] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=27, color=0x19eb40) returned 0x0
[0175.714] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.715] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.715] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=28, color=0x19eb40) returned 0x0
[0175.715] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.715] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.715] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=29, color=0x19eb40) returned 0x0
[0175.715] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.715] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.715] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=30, color=0x19eb40) returned 0x0
[0175.715] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.715] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.715] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=31, color=0x19eb40) returned 0x0
[0175.715] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.715] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.715] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=32, color=0x19eb40) returned 0x0
[0175.715] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.715] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.716] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=33, color=0x19eb40) returned 0x0
[0175.716] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.716] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.716] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=34, color=0x19eb40) returned 0x0
[0175.716] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.717] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.717] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=35, color=0x19eb40) returned 0x0
[0175.717] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.717] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.717] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=36, color=0x19eb40) returned 0x0
[0175.717] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.717] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.717] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=37, color=0x19eb40) returned 0x0
[0175.717] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.717] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.717] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=38, color=0x19eb40) returned 0x0
[0175.717] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.717] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.718] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=39, color=0x19eb40) returned 0x0
[0175.718] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.718] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.718] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=40, color=0x19eb40) returned 0x0
[0175.718] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.718] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.718] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=41, color=0x19eb40) returned 0x0
[0175.718] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.718] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.718] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=42, color=0x19eb40) returned 0x0
[0175.719] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.719] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.719] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=43, color=0x19eb40) returned 0x0
[0175.719] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.719] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.719] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=44, color=0x19eb40) returned 0x0
[0175.719] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.719] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.719] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=45, color=0x19eb40) returned 0x0
[0175.719] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.720] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.720] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=46, color=0x19eb40) returned 0x0
[0175.720] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.720] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.720] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=47, color=0x19eb40) returned 0x0
[0175.720] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.720] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.720] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=48, color=0x19eb40) returned 0x0
[0175.720] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.720] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.720] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=49, color=0x19eb40) returned 0x0
[0175.720] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.720] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.720] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=50, color=0x19eb40) returned 0x0
[0175.720] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.720] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.721] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=51, color=0x19eb40) returned 0x0
[0175.721] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.721] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.721] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=52, color=0x19eb40) returned 0x0
[0175.721] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.722] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.722] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=53, color=0x19eb40) returned 0x0
[0175.722] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.722] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.722] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=54, color=0x19eb40) returned 0x0
[0175.722] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.722] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.722] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=55, color=0x19eb40) returned 0x0
[0175.722] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.722] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.722] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=56, color=0x19eb40) returned 0x0
[0175.722] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.722] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.723] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=57, color=0x19eb40) returned 0x0
[0175.723] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.723] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.723] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=58, color=0x19eb40) returned 0x0
[0175.723] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.723] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.723] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=59, color=0x19eb40) returned 0x0
[0175.723] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.723] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.723] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=60, color=0x19eb40) returned 0x0
[0175.723] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.723] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.723] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=61, color=0x19eb40) returned 0x0
[0175.723] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.723] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.723] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=62, color=0x19eb40) returned 0x0
[0175.724] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.724] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.724] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=63, color=0x19eb40) returned 0x0
[0175.724] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.724] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.724] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=64, color=0x19eb40) returned 0x0
[0175.724] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.724] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.724] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=65, color=0x19eb40) returned 0x0
[0175.724] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.724] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.724] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=66, color=0x19eb40) returned 0x0
[0175.724] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.724] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.724] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=67, color=0x19eb40) returned 0x0
[0175.725] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.725] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.725] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=68, color=0x19eb40) returned 0x0
[0175.725] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.725] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.725] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=69, color=0x19eb40) returned 0x0
[0175.725] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.725] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.725] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=70, color=0x19eb40) returned 0x0
[0175.725] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.725] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.725] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=71, color=0x19eb40) returned 0x0
[0175.725] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.725] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.725] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=72, color=0x19eb40) returned 0x0
[0175.725] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.726] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.726] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=73, color=0x19eb40) returned 0x0
[0175.726] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.726] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.726] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=74, color=0x19eb40) returned 0x0
[0175.726] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.726] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.726] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=75, color=0x19eb40) returned 0x0
[0175.726] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.726] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.726] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=76, color=0x19eb40) returned 0x0
[0175.726] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.726] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.726] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=77, color=0x19eb40) returned 0x0
[0175.731] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.731] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.731] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=78, color=0x19eb40) returned 0x0
[0175.731] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.731] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.731] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=79, color=0x19eb40) returned 0x0
[0175.731] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.732] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.732] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=80, color=0x19eb40) returned 0x0
[0175.732] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.732] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.732] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=81, color=0x19eb40) returned 0x0
[0175.732] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.732] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.732] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=82, color=0x19eb40) returned 0x0
[0175.732] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.732] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.732] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=83, color=0x19eb40) returned 0x0
[0175.732] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.732] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.732] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=84, color=0x19eb40) returned 0x0
[0175.732] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.732] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.733] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=85, color=0x19eb40) returned 0x0
[0175.733] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.733] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.733] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=86, color=0x19eb40) returned 0x0
[0175.733] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.733] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.733] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=87, color=0x19eb40) returned 0x0
[0175.733] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.733] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.733] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=88, color=0x19eb40) returned 0x0
[0175.733] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.733] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.733] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=89, color=0x19eb40) returned 0x0
[0175.733] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.733] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.733] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=90, color=0x19eb40) returned 0x0
[0175.734] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.734] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.734] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=91, color=0x19eb40) returned 0x0
[0175.734] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.734] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.734] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=92, color=0x19eb40) returned 0x0
[0175.734] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.734] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.734] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=93, color=0x19eb40) returned 0x0
[0175.734] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.734] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.734] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=94, color=0x19eb40) returned 0x0
[0175.734] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.734] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.734] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=95, color=0x19eb40) returned 0x0
[0175.734] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.734] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.734] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=96, color=0x19eb40) returned 0x0
[0175.735] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.735] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.735] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=97, color=0x19eb40) returned 0x0
[0175.735] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.735] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.735] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=98, color=0x19eb40) returned 0x0
[0175.735] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.735] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.735] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=99, color=0x19eb40) returned 0x0
[0175.735] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.735] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.735] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=100, color=0x19eb40) returned 0x0
[0175.735] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.735] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.735] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=101, color=0x19eb40) returned 0x0
[0175.735] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.736] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.736] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=102, color=0x19eb40) returned 0x0
[0175.736] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.736] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.736] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=103, color=0x19eb40) returned 0x0
[0175.736] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.736] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.736] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=104, color=0x19eb40) returned 0x0
[0175.736] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.736] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.736] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=105, color=0x19eb40) returned 0x0
[0175.736] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.736] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.736] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=106, color=0x19eb40) returned 0x0
[0175.736] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.736] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.736] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=107, color=0x19eb40) returned 0x0
[0175.736] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.737] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.737] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=108, color=0x19eb40) returned 0x0
[0175.737] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.737] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.737] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=109, color=0x19eb40) returned 0x0
[0175.737] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.737] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.737] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=110, color=0x19eb40) returned 0x0
[0175.737] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.737] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.737] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=111, color=0x19eb40) returned 0x0
[0175.737] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.737] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.737] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=112, color=0x19eb40) returned 0x0
[0175.737] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.737] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.737] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=113, color=0x19eb40) returned 0x0
[0175.737] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.738] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.738] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=114, color=0x19eb40) returned 0x0
[0175.738] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.738] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.738] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=115, color=0x19eb40) returned 0x0
[0175.738] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.738] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.738] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=116, color=0x19eb40) returned 0x0
[0175.738] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.738] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.738] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=117, color=0x19eb40) returned 0x0
[0175.738] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.738] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.738] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=118, color=0x19eb40) returned 0x0
[0175.738] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.738] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.738] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=119, color=0x19eb40) returned 0x0
[0175.738] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.738] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.739] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=120, color=0x19eb40) returned 0x0
[0175.739] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.739] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.739] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=121, color=0x19eb40) returned 0x0
[0175.739] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.739] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.739] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=122, color=0x19eb40) returned 0x0
[0175.739] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.739] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.739] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=123, color=0x19eb40) returned 0x0
[0175.739] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.739] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.739] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=124, color=0x19eb40) returned 0x0
[0175.739] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.740] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.740] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=125, color=0x19eb40) returned 0x0
[0175.740] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.740] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.740] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=126, color=0x19eb40) returned 0x0
[0175.740] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.740] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.740] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=127, color=0x19eb40) returned 0x0
[0175.740] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.740] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.740] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=128, color=0x19eb40) returned 0x0
[0175.740] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.740] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.740] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=129, color=0x19eb40) returned 0x0
[0175.740] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.740] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.741] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=130, color=0x19eb40) returned 0x0
[0175.741] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.741] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.741] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=131, color=0x19eb40) returned 0x0
[0175.741] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.741] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.741] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=132, color=0x19eb40) returned 0x0
[0175.741] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.741] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.742] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=133, color=0x19eb40) returned 0x0
[0175.742] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.742] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.742] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=134, color=0x19eb40) returned 0x0
[0175.742] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.742] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.742] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=135, color=0x19eb40) returned 0x0
[0175.742] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.742] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.742] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=136, color=0x19eb40) returned 0x0
[0175.742] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.742] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.742] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=137, color=0x19eb40) returned 0x0
[0175.742] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.742] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.742] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=138, color=0x19eb40) returned 0x0
[0175.742] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.742] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.742] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=139, color=0x19eb40) returned 0x0
[0175.742] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.742] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.743] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=140, color=0x19eb40) returned 0x0
[0175.743] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.743] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.743] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=141, color=0x19eb40) returned 0x0
[0175.743] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.743] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.743] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=142, color=0x19eb40) returned 0x0
[0175.743] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.743] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.743] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=143, color=0x19eb40) returned 0x0
[0175.743] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.743] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.743] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=144, color=0x19eb40) returned 0x0
[0175.743] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.743] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.743] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=145, color=0x19eb40) returned 0x0
[0175.743] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.743] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.743] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=146, color=0x19eb40) returned 0x0
[0175.744] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.744] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.744] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=147, color=0x19eb40) returned 0x0
[0175.744] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.744] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.744] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=148, color=0x19eb40) returned 0x0
[0175.744] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.744] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.744] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=149, color=0x19eb40) returned 0x0
[0175.744] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.744] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.744] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=150, color=0x19eb40) returned 0x0
[0175.744] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.744] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.744] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=151, color=0x19eb40) returned 0x0
[0175.744] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.744] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.744] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=152, color=0x19eb40) returned 0x0
[0175.744] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.744] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.744] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=153, color=0x19eb40) returned 0x0
[0175.744] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.744] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.745] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=154, color=0x19eb40) returned 0x0
[0175.745] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.745] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.745] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=155, color=0x19eb40) returned 0x0
[0175.745] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.745] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.745] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=156, color=0x19eb40) returned 0x0
[0175.745] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.745] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.745] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=157, color=0x19eb40) returned 0x0
[0175.745] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.745] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.745] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=158, color=0x19eb40) returned 0x0
[0175.745] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.745] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.745] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=159, color=0x19eb40) returned 0x0
[0175.745] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.745] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.745] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=160, color=0x19eb40) returned 0x0
[0175.745] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.745] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.745] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=161, color=0x19eb40) returned 0x0
[0175.746] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.746] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.746] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=162, color=0x19eb40) returned 0x0
[0175.746] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.746] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.746] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=163, color=0x19eb40) returned 0x0
[0175.746] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.746] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.746] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=164, color=0x19eb40) returned 0x0
[0175.746] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.746] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.746] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=165, color=0x19eb40) returned 0x0
[0175.746] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.746] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.746] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=166, color=0x19eb40) returned 0x0
[0175.746] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.746] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.747] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=167, color=0x19eb40) returned 0x0
[0175.747] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.747] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.747] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=168, color=0x19eb40) returned 0x0
[0175.747] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.747] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.747] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=169, color=0x19eb40) returned 0x0
[0175.747] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.747] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.747] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=170, color=0x19eb40) returned 0x0
[0175.747] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.747] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.747] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=171, color=0x19eb40) returned 0x0
[0175.747] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.747] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.747] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=172, color=0x19eb40) returned 0x0
[0175.748] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.748] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.748] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=173, color=0x19eb40) returned 0x0
[0175.748] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.748] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.748] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=174, color=0x19eb40) returned 0x0
[0175.748] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.748] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.748] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=175, color=0x19eb40) returned 0x0
[0175.748] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.748] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.748] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=176, color=0x19eb40) returned 0x0
[0175.748] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.748] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.748] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=177, color=0x19eb40) returned 0x0
[0175.748] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.748] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.748] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=178, color=0x19eb40) returned 0x0
[0175.748] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.748] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.749] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=179, color=0x19eb40) returned 0x0
[0175.749] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.749] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.749] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=180, color=0x19eb40) returned 0x0
[0175.750] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.750] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.751] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=181, color=0x19eb40) returned 0x0
[0175.751] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.751] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.751] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=182, color=0x19eb40) returned 0x0
[0175.751] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.751] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.751] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=183, color=0x19eb40) returned 0x0
[0175.751] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.751] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.751] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=184, color=0x19eb40) returned 0x0
[0175.751] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.751] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.751] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=185, color=0x19eb40) returned 0x0
[0175.751] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.751] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.751] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=186, color=0x19eb40) returned 0x0
[0175.751] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.751] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.751] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=187, color=0x19eb40) returned 0x0
[0175.751] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.752] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.752] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=188, color=0x19eb40) returned 0x0
[0175.752] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.752] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.752] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=189, color=0x19eb40) returned 0x0
[0175.752] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.752] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.752] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=190, color=0x19eb40) returned 0x0
[0175.752] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.752] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.752] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=191, color=0x19eb40) returned 0x0
[0175.752] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.752] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.752] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=192, color=0x19eb40) returned 0x0
[0175.752] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.753] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.753] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=193, color=0x19eb40) returned 0x0
[0175.753] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.753] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.753] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=194, color=0x19eb40) returned 0x0
[0175.753] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.753] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.753] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=195, color=0x19eb40) returned 0x0
[0175.753] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.753] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.753] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=196, color=0x19eb40) returned 0x0
[0175.753] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.753] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.753] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=197, color=0x19eb40) returned 0x0
[0175.753] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.754] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.754] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=198, color=0x19eb40) returned 0x0
[0175.754] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.754] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.754] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=199, color=0x19eb40) returned 0x0
[0175.754] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.754] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.754] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=200, color=0x19eb40) returned 0x0
[0175.754] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.754] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.754] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=201, color=0x19eb40) returned 0x0
[0175.754] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.754] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.754] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=202, color=0x19eb40) returned 0x0
[0175.754] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.754] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.754] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=203, color=0x19eb40) returned 0x0
[0175.754] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.755] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.755] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=204, color=0x19eb40) returned 0x0
[0175.755] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.755] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.755] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=205, color=0x19eb40) returned 0x0
[0175.755] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.755] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.755] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=206, color=0x19eb40) returned 0x0
[0175.755] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.755] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.755] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=207, color=0x19eb40) returned 0x0
[0175.755] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.755] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.755] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=208, color=0x19eb40) returned 0x0
[0175.755] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.755] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.755] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=209, color=0x19eb40) returned 0x0
[0175.755] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.755] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.755] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=210, color=0x19eb40) returned 0x0
[0175.755] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.755] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.756] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=211, color=0x19eb40) returned 0x0
[0175.756] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.756] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.756] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=212, color=0x19eb40) returned 0x0
[0175.756] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.756] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.756] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=213, color=0x19eb40) returned 0x0
[0175.756] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.756] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.756] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=214, color=0x19eb40) returned 0x0
[0175.756] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.756] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.756] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=215, color=0x19eb40) returned 0x0
[0175.756] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.756] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.756] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=216, color=0x19eb40) returned 0x0
[0175.756] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.757] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.757] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=217, color=0x19eb40) returned 0x0
[0175.757] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.757] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.757] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=218, color=0x19eb40) returned 0x0
[0175.757] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.757] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.757] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=219, color=0x19eb40) returned 0x0
[0175.757] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.757] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.757] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=220, color=0x19eb40) returned 0x0
[0175.757] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.757] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.757] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=221, color=0x19eb40) returned 0x0
[0175.757] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.757] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.757] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=222, color=0x19eb40) returned 0x0
[0175.757] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.758] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.758] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=223, color=0x19eb40) returned 0x0
[0175.758] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.758] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.758] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=224, color=0x19eb40) returned 0x0
[0175.758] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.758] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.758] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=225, color=0x19eb40) returned 0x0
[0175.758] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.758] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.758] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=226, color=0x19eb40) returned 0x0
[0175.758] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.758] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.758] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=227, color=0x19eb40) returned 0x0
[0175.758] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.758] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.758] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=228, color=0x19eb40) returned 0x0
[0175.758] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.758] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.759] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=229, color=0x19eb40) returned 0x0
[0175.759] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.759] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.759] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=230, color=0x19eb40) returned 0x0
[0175.759] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.759] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.759] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=231, color=0x19eb40) returned 0x0
[0175.759] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.759] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.759] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=232, color=0x19eb40) returned 0x0
[0175.759] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.759] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.759] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=233, color=0x19eb40) returned 0x0
[0175.759] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.759] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.759] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=234, color=0x19eb40) returned 0x0
[0175.759] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.759] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.759] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=235, color=0x19eb40) returned 0x0
[0175.759] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.760] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.760] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=236, color=0x19eb40) returned 0x0
[0175.760] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.760] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.760] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=237, color=0x19eb40) returned 0x0
[0175.760] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.760] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.760] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=238, color=0x19eb40) returned 0x0
[0175.760] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.760] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.760] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=239, color=0x19eb40) returned 0x0
[0175.760] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.760] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.760] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=240, color=0x19eb40) returned 0x0
[0175.760] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.760] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.760] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=241, color=0x19eb40) returned 0x0
[0175.760] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.760] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.760] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=242, color=0x19eb40) returned 0x0
[0175.761] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.761] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.761] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=243, color=0x19eb40) returned 0x0
[0175.761] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.761] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.761] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=244, color=0x19eb40) returned 0x0
[0175.761] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.761] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.761] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=245, color=0x19eb40) returned 0x0
[0175.761] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.761] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.761] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=246, color=0x19eb40) returned 0x0
[0175.761] GdipGetImageWidth (image=0x5b4f570, width=0x19eb30) returned 0x0
[0175.761] GdipGetImageHeight (image=0x5b4f570, height=0x19eb30) returned 0x0
[0175.761] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=247, color=0x19eb40) returned 0x0
[0175.761] GdipBitmapGetPixel (bitmap=0x5b4f570, x=0, y=248, color=0x19eb40) returned 0x0
[0175.890] CreateFileMappingW (hFile=0xffffffff, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x5e200, lpName=0x0) returned 0x40c
[0175.896] CloseHandle (hObject=0x40c) returned 1
[0176.307] CoTaskMemAlloc (cb=0xd) returned 0x851850
[0176.307] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24ee29c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.308] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.309] CoTaskMemFree (pv=0x851850)
[0176.313] CoTaskMemAlloc (cb=0x11) returned 0x84e4a0
[0176.313] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ResumeThread", cchWideChar=12, lpMultiByteStr=0x24ee2d4, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResumeThread", lpUsedDefaultChar=0x0) returned 12
[0176.314] GetProcAddress (hModule=0x74f30000, lpProcName="ResumeThread") returned 0x74f4a800
[0176.315] CoTaskMemFree (pv=0x84e4a0)
[0176.318] CoTaskMemAlloc (cb=0xd) returned 0x851820
[0176.318] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24ee3ac, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.318] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.319] CoTaskMemFree (pv=0x851820)
[0176.319] CoTaskMemAlloc (cb=0x1a) returned 0x856fd8
[0176.319] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64SetThreadContext", cchWideChar=21, lpMultiByteStr=0x24ee3e4, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64SetThreadContext", lpUsedDefaultChar=0x0) returned 21
[0176.319] GetProcAddress (hModule=0x74f30000, lpProcName="Wow64SetThreadContext") returned 0x74f73e60
[0176.319] CoTaskMemFree (pv=0x856fd8)
[0176.323] CoTaskMemAlloc (cb=0xd) returned 0x8518c8
[0176.323] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24ee4b0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.323] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.323] CoTaskMemFree (pv=0x8518c8)
[0176.323] CoTaskMemAlloc (cb=0x15) returned 0x84e260
[0176.323] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SetThreadContext", cchWideChar=16, lpMultiByteStr=0x24ee4e8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetThreadContext", lpUsedDefaultChar=0x0) returned 16
[0176.324] GetProcAddress (hModule=0x74f30000, lpProcName="SetThreadContext") returned 0x74f72490
[0176.324] CoTaskMemFree (pv=0x84e260)
[0176.324] CoTaskMemAlloc (cb=0xd) returned 0x8518f8
[0176.325] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24ee5b0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.325] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.325] CoTaskMemFree (pv=0x8518f8)
[0176.325] CoTaskMemAlloc (cb=0x1a) returned 0x857050
[0176.325] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Wow64GetThreadContext", cchWideChar=21, lpMultiByteStr=0x24ee5e8, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Wow64GetThreadContext", lpUsedDefaultChar=0x0) returned 21
[0176.326] GetProcAddress (hModule=0x74f30000, lpProcName="Wow64GetThreadContext") returned 0x74f73e30
[0176.326] CoTaskMemFree (pv=0x857050)
[0176.326] CoTaskMemAlloc (cb=0xd) returned 0x8518b0
[0176.326] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24ee6b4, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.326] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.327] CoTaskMemFree (pv=0x8518b0)
[0176.327] CoTaskMemAlloc (cb=0x15) returned 0x84e4a0
[0176.327] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetThreadContext", cchWideChar=16, lpMultiByteStr=0x24ee6ec, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThreadContext", lpUsedDefaultChar=0x0) returned 16
[0176.327] GetProcAddress (hModule=0x74f30000, lpProcName="GetThreadContext") returned 0x74f4ec60
[0176.327] CoTaskMemFree (pv=0x84e4a0)
[0176.328] CoTaskMemAlloc (cb=0xd) returned 0x851820
[0176.328] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24ee7a8, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.328] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.329] CoTaskMemFree (pv=0x851820)
[0176.329] CoTaskMemAlloc (cb=0x13) returned 0x84e4a0
[0176.329] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VirtualAllocEx", cchWideChar=14, lpMultiByteStr=0x24ee7e0, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VirtualAllocEx", lpUsedDefaultChar=0x0) returned 14
[0176.329] GetProcAddress (hModule=0x74f30000, lpProcName="VirtualAllocEx") returned 0x74f72730
[0176.329] CoTaskMemFree (pv=0x84e4a0)
[0176.332] CoTaskMemAlloc (cb=0xd) returned 0x851820
[0176.332] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24ee89c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.332] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.333] CoTaskMemFree (pv=0x851820)
[0176.333] CoTaskMemAlloc (cb=0x17) returned 0x84e260
[0176.333] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WriteProcessMemory", cchWideChar=18, lpMultiByteStr=0x24ee8d4, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WriteProcessMemory", lpUsedDefaultChar=0x0) returned 18
[0176.333] GetProcAddress (hModule=0x74f30000, lpProcName="WriteProcessMemory") returned 0x74f72850
[0176.333] CoTaskMemFree (pv=0x84e260)
[0176.338] CoTaskMemAlloc (cb=0xd) returned 0x851850
[0176.338] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24ee998, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.338] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.338] CoTaskMemFree (pv=0x851850)
[0176.338] CoTaskMemAlloc (cb=0x16) returned 0x84e260
[0176.338] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ReadProcessMemory", cchWideChar=17, lpMultiByteStr=0x24ee9d0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ReadProcessMemory", lpUsedDefaultChar=0x0) returned 17
[0176.339] GetProcAddress (hModule=0x74f30000, lpProcName="ReadProcessMemory") returned 0x74f71c80
[0176.339] CoTaskMemFree (pv=0x84e260)
[0176.343] CoTaskMemAlloc (cb=0xa) returned 0x851820
[0176.344] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ntdll", cchWideChar=5, lpMultiByteStr=0x24eea90, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ntdll", lpUsedDefaultChar=0x0) returned 5
[0176.344] LoadLibraryA (lpLibFileName="ntdll") returned 0x77b90000
[0176.344] CoTaskMemFree (pv=0x851820)
[0176.344] CoTaskMemAlloc (cb=0x19) returned 0x8572d0
[0176.344] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ZwUnmapViewOfSection", cchWideChar=20, lpMultiByteStr=0x24eeabc, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ZwUnmapViewOfSection", lpUsedDefaultChar=0x0) returned 20
[0176.344] GetProcAddress (hModule=0x77b90000, lpProcName="ZwUnmapViewOfSection") returned 0x77c06f40
[0176.345] CoTaskMemFree (pv=0x8572d0)
[0176.348] CoTaskMemAlloc (cb=0xd) returned 0x851850
[0176.348] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="kernel32", cchWideChar=8, lpMultiByteStr=0x24eeb84, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="kernel32", lpUsedDefaultChar=0x0) returned 8
[0176.348] LoadLibraryA (lpLibFileName="kernel32") returned 0x74f30000
[0176.348] CoTaskMemFree (pv=0x851850)
[0176.348] CoTaskMemAlloc (cb=0x13) returned 0x84e4a0
[0176.348] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateProcessA", cchWideChar=14, lpMultiByteStr=0x24eebbc, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateProcessA", lpUsedDefaultChar=0x0) returned 14
[0176.349] GetProcAddress (hModule=0x74f30000, lpProcName="CreateProcessA") returned 0x74f70750
[0176.349] CoTaskMemFree (pv=0x84e4a0)
[0176.370] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe", nBufferLength=0x105, lpBuffer=0x19e114, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe", lpFilePart=0x0) returned 0x62
[0176.372] CoTaskMemAlloc (cb=0x20c) returned 0x864678
[0176.372] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x864678 | out: pszPath="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming") returned 0x0
[0176.372] CoTaskMemFree (pv=0x864678)
[0176.372] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x19e0f8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming", lpFilePart=0x0) returned 0x25
[0176.374] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e1a4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0176.374] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e604) returned 1
[0176.374] GetFileAttributesExW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\khdscdg.exe"), fInfoLevelId=0x0, lpFileInformation=0x19e680 | out: lpFileInformation=0x19e680*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0
[0176.375] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e600) returned 1
[0176.393] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e148, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0176.402] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e160, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0176.406] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e0a4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0176.416] SetNamedSecurityInfoW () returned 0x2
[0177.181] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe", nBufferLength=0x105, lpBuffer=0x19e15c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe", lpFilePart=0x0) returned 0x62
[0177.181] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e15c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0177.182] CopyFileW (lpExistingFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe"), lpNewFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\roaming\\khdscdg.exe"), bFailIfExists=1) returned 1
[0179.665] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e0f4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0179.668] GetUserNameW (in: lpBuffer=0x19e390, pcbBuffer=0x19e608 | out: lpBuffer="RDhJ0CNFevzX", pcbBuffer=0x19e608) returned 1
[0179.687] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e064, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0179.689] SetFileAttributesW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", dwFileAttributes=0x2007) returned 1
[0179.695] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e42c, DesiredAccess=0x800, PolicyHandle=0x19e3ec | out: PolicyHandle=0x19e3ec) returned 0x0
[0179.698] CoTaskMemAlloc (cb=0x8) returned 0x84a718
[0179.700] CoTaskMemAlloc (cb=0x1a) returned 0x857258
[0179.701] LsaLookupNames2 (in: PolicyHandle=0x84e380, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e400, Sids=0x19e3f4 | out: ReferencedDomains=0x19e400, Sids=0x19e3f4) returned 0x0
[0179.707] CoTaskMemFree (pv=0x857258)
[0179.707] CoTaskMemFree (pv=0x84a718)
[0179.718] LsaClose (ObjectHandle=0x84e380) returned 0x0
[0179.719] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.719] LsaFreeMemory (Buffer=0x855540) returned 0x0
[0179.720] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e42c, DesiredAccess=0x800, PolicyHandle=0x19e3ec | out: PolicyHandle=0x19e3ec) returned 0x0
[0179.721] CoTaskMemAlloc (cb=0x8) returned 0x84a718
[0179.721] CoTaskMemAlloc (cb=0x1a) returned 0x8572a8
[0179.721] LsaLookupNames2 (in: PolicyHandle=0x84e4a0, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e400, Sids=0x19e3f4 | out: ReferencedDomains=0x19e400, Sids=0x19e3f4) returned 0x0
[0179.722] CoTaskMemFree (pv=0x8572a8)
[0179.722] CoTaskMemFree (pv=0x84a718)
[0179.722] LsaClose (ObjectHandle=0x84e4a0) returned 0x0
[0179.723] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.723] LsaFreeMemory (Buffer=0x854bf8) returned 0x0
[0179.724] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e42c, DesiredAccess=0x800, PolicyHandle=0x19e3ec | out: PolicyHandle=0x19e3ec) returned 0x0
[0179.725] CoTaskMemAlloc (cb=0x8) returned 0x84a718
[0179.725] CoTaskMemAlloc (cb=0x1a) returned 0x857258
[0179.725] LsaLookupNames2 (in: PolicyHandle=0x84e580, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e400, Sids=0x19e3f4 | out: ReferencedDomains=0x19e400, Sids=0x19e3f4) returned 0x0
[0179.726] CoTaskMemFree (pv=0x857258)
[0179.726] CoTaskMemFree (pv=0x84a718)
[0179.727] LsaClose (ObjectHandle=0x84e580) returned 0x0
[0179.727] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.727] LsaFreeMemory (Buffer=0x855490) returned 0x0
[0179.727] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e42c, DesiredAccess=0x800, PolicyHandle=0x19e3ec | out: PolicyHandle=0x19e3ec) returned 0x0
[0179.728] CoTaskMemAlloc (cb=0x8) returned 0x84a718
[0179.728] CoTaskMemAlloc (cb=0x1a) returned 0x857258
[0179.728] LsaLookupNames2 (in: PolicyHandle=0x84e580, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e400, Sids=0x19e3f4 | out: ReferencedDomains=0x19e400, Sids=0x19e3f4) returned 0x0
[0179.729] CoTaskMemFree (pv=0x857258)
[0179.729] CoTaskMemFree (pv=0x84a718)
[0179.729] LsaClose (ObjectHandle=0x84e580) returned 0x0
[0179.729] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.729] LsaFreeMemory (Buffer=0x854d00) returned 0x0
[0179.733] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e418, DesiredAccess=0x800, PolicyHandle=0x19e3d8 | out: PolicyHandle=0x19e3d8) returned 0x0
[0179.734] CoTaskMemAlloc (cb=0x8) returned 0x84a788
[0179.734] CoTaskMemAlloc (cb=0x1a) returned 0x857258
[0179.734] LsaLookupNames2 (in: PolicyHandle=0x84e260, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e3ec, Sids=0x19e3e0 | out: ReferencedDomains=0x19e3ec, Sids=0x19e3e0) returned 0x0
[0179.735] CoTaskMemFree (pv=0x857258)
[0179.735] CoTaskMemFree (pv=0x84a788)
[0179.735] LsaClose (ObjectHandle=0x84e260) returned 0x0
[0179.735] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.736] LsaFreeMemory (Buffer=0x854f10) returned 0x0
[0179.736] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e42c, DesiredAccess=0x800, PolicyHandle=0x19e3ec | out: PolicyHandle=0x19e3ec) returned 0x0
[0179.736] CoTaskMemAlloc (cb=0x8) returned 0x84a718
[0179.736] CoTaskMemAlloc (cb=0x1a) returned 0x857258
[0179.736] LsaLookupNames2 (in: PolicyHandle=0x84e380, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e400, Sids=0x19e3f4 | out: ReferencedDomains=0x19e400, Sids=0x19e3f4) returned 0x0
[0179.786] CoTaskMemFree (pv=0x857258)
[0179.786] CoTaskMemFree (pv=0x84a718)
[0179.786] LsaClose (ObjectHandle=0x84e380) returned 0x0
[0179.787] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.787] LsaFreeMemory (Buffer=0x854e60) returned 0x0
[0179.788] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e418, DesiredAccess=0x800, PolicyHandle=0x19e3d8 | out: PolicyHandle=0x19e3d8) returned 0x0
[0179.788] CoTaskMemAlloc (cb=0x8) returned 0x84a718
[0179.788] CoTaskMemAlloc (cb=0x1a) returned 0x857258
[0179.788] LsaLookupNames2 (in: PolicyHandle=0x84e380, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e3ec, Sids=0x19e3e0 | out: ReferencedDomains=0x19e3ec, Sids=0x19e3e0) returned 0x0
[0179.790] CoTaskMemFree (pv=0x857258)
[0179.790] CoTaskMemFree (pv=0x84a718)
[0179.790] LsaClose (ObjectHandle=0x84e380) returned 0x0
[0179.790] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.790] LsaFreeMemory (Buffer=0x854c50) returned 0x0
[0179.791] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e418, DesiredAccess=0x800, PolicyHandle=0x19e3d8 | out: PolicyHandle=0x19e3d8) returned 0x0
[0179.791] CoTaskMemAlloc (cb=0x8) returned 0x84a788
[0179.791] CoTaskMemAlloc (cb=0x1a) returned 0x8572f8
[0179.791] LsaLookupNames2 (in: PolicyHandle=0x84e260, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e3ec, Sids=0x19e3e0 | out: ReferencedDomains=0x19e3ec, Sids=0x19e3e0) returned 0x0
[0179.792] CoTaskMemFree (pv=0x8572f8)
[0179.792] CoTaskMemFree (pv=0x84a788)
[0179.793] LsaClose (ObjectHandle=0x84e260) returned 0x0
[0179.793] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.793] LsaFreeMemory (Buffer=0x854f10) returned 0x0
[0179.793] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e42c, DesiredAccess=0x800, PolicyHandle=0x19e3ec | out: PolicyHandle=0x19e3ec) returned 0x0
[0179.794] CoTaskMemAlloc (cb=0x8) returned 0x84a788
[0179.794] CoTaskMemAlloc (cb=0x1a) returned 0x857258
[0179.794] LsaLookupNames2 (in: PolicyHandle=0x84e260, Flags=0x0, Count=0x1, Names="RDhJ0CNFevzX", ReferencedDomains=0x19e400, Sids=0x19e3f4 | out: ReferencedDomains=0x19e400, Sids=0x19e3f4) returned 0x0
[0179.795] CoTaskMemFree (pv=0x857258)
[0179.795] CoTaskMemFree (pv=0x84a788)
[0179.795] LsaClose (ObjectHandle=0x84e260) returned 0x0
[0179.796] LsaFreeMemory (Buffer=0x83afd0) returned 0x0
[0179.796] LsaFreeMemory (Buffer=0x854e60) returned 0x0
[0179.798] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e0f8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0179.798] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", nBufferLength=0x105, lpBuffer=0x19e03c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe", lpFilePart=0x0) returned 0x31
[0179.799] SetNamedSecurityInfoW () returned 0x0
[0179.843] GetCurrentProcess () returned 0xffffffff
[0179.843] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e4f4 | out: TokenHandle=0x19e4f4*=0x3cc) returned 1
[0179.848] GetTokenInformation (in: TokenHandle=0x3cc, TokenInformationClass=0x8, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19e4f4 | out: TokenInformation=0x0, ReturnLength=0x19e4f4) returned 0
[0179.848] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x84a718
[0179.848] GetTokenInformation (in: TokenHandle=0x3cc, TokenInformationClass=0x8, TokenInformation=0x84a718, TokenInformationLength=0x4, ReturnLength=0x19e4f4 | out: TokenInformation=0x84a718, ReturnLength=0x19e4f4) returned 1
[0179.848] LocalFree (hMem=0x84a718) returned 0x0
[0179.849] DuplicateTokenEx (in: hExistingToken=0x3cc, dwDesiredAccess=0x8, lpTokenAttributes=0x0, ImpersonationLevel=0x2, TokenType=0x2, phNewToken=0x19e4fc | out: phNewToken=0x19e4fc*=0x428) returned 1
[0179.849] CheckTokenMembership (in: TokenHandle=0x428, SidToCheck=0x24f4f24*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), IsMember=0x19e50c | out: IsMember=0x19e50c) returned 1
[0179.849] CloseHandle (hObject=0x428) returned 1
[0179.878] LocalAlloc (uFlags=0x0, uBytes=0x16) returned 0x84e520
[0179.878] LocalAlloc (uFlags=0x0, uBytes=0xa8) returned 0x841890
[0179.880] ShellExecuteExW (in: pExecInfo=0x24f52d0*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x24f52d0*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="powershell", lpParameters="Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x500)) returned 1
[0182.173] LocalFree (hMem=0x84e520) returned 0x0
[0182.174] LocalFree (hMem=0x841890) returned 0x0
[0182.177] GetCurrentProcess () returned 0xffffffff
[0182.177] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e5ac | out: TokenHandle=0x19e5ac*=0x430) returned 1
[0182.177] GetCurrentProcess () returned 0xffffffff
[0182.177] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x19e580 | out: TokenHandle=0x19e580*=0x4dc) returned 1
[0182.178] GetTokenInformation (in: TokenHandle=0x430, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x19e5b4 | out: TokenInformation=0x0, ReturnLength=0x19e5b4) returned 0
[0182.178] LocalAlloc (uFlags=0x0, uBytes=0x24) returned 0x6b32030
[0182.178] GetTokenInformation (in: TokenHandle=0x430, TokenInformationClass=0x1, TokenInformation=0x6b32030, TokenInformationLength=0x24, ReturnLength=0x19e5b4 | out: TokenInformation=0x6b32030, ReturnLength=0x19e5b4) returned 1
[0182.178] LocalFree (hMem=0x6b32030) returned 0x0
[0182.179] LsaOpenPolicy (in: SystemName=0x0, ObjectAttributes=0x19e4d4, DesiredAccess=0x800, PolicyHandle=0x19e494 | out: PolicyHandle=0x19e494) returned 0x0
[0182.180] LsaLookupSids (in: PolicyHandle=0x6b306b8, Count=0x1, Sids=0x24f55c0*=0x24f5564*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x65)), ReferencedDomains=0x19e4b0, Names=0x19e4a4 | out: ReferencedDomains=0x19e4b0, Names=0x19e4a4) returned 0x0
[0182.182] LsaClose (ObjectHandle=0x6b306b8) returned 0x0
[0182.182] LsaFreeMemory (Buffer=0x6b22d70) returned 0x0
[0182.182] LsaFreeMemory (Buffer=0x6b37a98) returned 0x0
[0182.183] CoTaskMemAlloc (cb=0x20c) returned 0x6b2a530
[0182.183] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x6b2a530 | out: lpBuffer="C:\\Users\\RDHJ0C~1\\AppData\\Local\\Temp\\") returned 0x25
[0182.183] CoTaskMemFree (pv=0x6b2a530)
[0182.184] GetLongPathNameW (in: lpszShortPath="C:\\Users\\RDHJ0C~1\\", lpszLongPath=0x19e0ec, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\RDhJ0CNFevzX\\") returned 0x16
[0182.185] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19e100, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0182.185] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", nBufferLength=0x105, lpBuffer=0x19e088, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpFilePart=0x0) returned 0x29
[0182.186] CoTaskMemAlloc (cb=0x20c) returned 0x6b2a530
[0182.186] GetTempFileNameW (in: lpPathName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\", lpPrefixString="tmp", uUnique=0x0, lpTempFileName=0x6b2a530 | out: lpTempFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpc2cf.tmp")) returned 0xc2cf
[0182.187] CoTaskMemFree (pv=0x6b2a530)
[0182.244] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp", nBufferLength=0x105, lpBuffer=0x19dfa8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp", lpFilePart=0x0) returned 0x34
[0182.245] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x19e49c) returned 1
[0182.245] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpc2cf.tmp"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x8100000, hTemplateFile=0x0) returned 0x42c
[0182.245] GetFileType (hFile=0x42c) returned 0x1
[0182.245] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x19e498) returned 1
[0182.246] GetFileType (hFile=0x42c) returned 0x1
[0182.247] WriteFile (in: hFile=0x42c, lpBuffer=0x24f959c*, nNumberOfBytesToWrite=0x63b, lpNumberOfBytesWritten=0x19e534, lpOverlapped=0x0 | out: lpBuffer=0x24f959c*, lpNumberOfBytesWritten=0x19e534*=0x63b, lpOverlapped=0x0) returned 1
[0182.248] CloseHandle (hObject=0x42c) returned 1
[0182.252] LocalAlloc (uFlags=0x0, uBytes=0x1a) returned 0x6b2e3a0
[0182.253] LocalAlloc (uFlags=0x0, uBytes=0xb4) returned 0x6b2fa60
[0182.253] ShellExecuteExW (in: pExecInfo=0x24fa83c*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Create /TN \"Updates\\KHDScDG\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp\"", lpDirectory=0x0, nShow=0, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x24fa83c*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="schtasks.exe", lpParameters="/Create /TN \"Updates\\KHDScDG\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp\"", lpDirectory=0x0, nShow=0, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x4f8)) returned 1
[0187.931] LocalFree (hMem=0x6b2e3a0) returned 0x0
[0187.931] LocalFree (hMem=0x6b2fa60) returned 0x0
[0187.935] GetCurrentProcess () returned 0xffffffff
[0187.935] GetCurrentProcess () returned 0xffffffff
[0187.936] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x4f8, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x19e594, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x19e594*=0x428) returned 1
[0187.937] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0xffffffff, cHandles=0x1, pHandles=0x19e58c*=0x428, lpdwindex=0x19e3ac | out: lpdwindex=0x19e3ac) returned 0x0
[0205.882] CloseHandle (hObject=0x428) returned 1
[0205.882] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp", nBufferLength=0x105, lpBuffer=0x19e114, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp", lpFilePart=0x0) returned 0x34
[0205.883] DeleteFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpc2cf.tmp")) returned 1
[0206.461] GetFullPathNameW (in: lpFileName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe", nBufferLength=0x105, lpBuffer=0x19e058, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe", lpFilePart=0x0) returned 0x62
[0206.563] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x19db10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e
[0206.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe", cchWideChar=98, lpMultiByteStr=0x19e2ec, cbMultiByte=100, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exeb", lpUsedDefaultChar=0x0) returned 98
[0206.667] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x19e2e8, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="|Ýb", lpUsedDefaultChar=0x0) returned 0
[0206.667] CreateProcessA (in: lpApplicationName="C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe", lpCommandLine="", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x19e3ac*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x19e660 | out: lpCommandLine="", lpProcessInformation=0x19e660*(hProcess=0x3cc, hThread=0x430, dwProcessId=0xc38, dwThreadId=0x448)) returned 1
[0206.697] CoTaskMemFree (pv=0x0)
[0206.701] GetThreadContext (in: hThread=0x430, lpContext=0x233f04c | out: lpContext=0x233f04c*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x2db000, Edx=0x0, Ecx=0x0, Eax=0x484132, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1
[0206.705] ReadProcessMemory (in: hProcess=0x3cc, lpBaseAddress=0x2db008, lpBuffer=0x19e650, nSize=0x4, lpNumberOfBytesRead=0x19e694 | out: lpBuffer=0x19e650*, lpNumberOfBytesRead=0x19e694*=0x4) returned 1
[0206.705] NtUnmapViewOfSection (ProcessHandle=0x3cc, BaseAddress=0x400000) returned 0x0
[0206.711] VirtualAllocEx (hProcess=0x3cc, lpAddress=0x400000, dwSize=0x2f000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000
[0206.712] WriteProcessMemory (in: hProcess=0x3cc, lpBaseAddress=0x400000, lpBuffer=0x347b3a8*, nSize=0x200, lpNumberOfBytesWritten=0x19e694 | out: lpBuffer=0x347b3a8*, lpNumberOfBytesWritten=0x19e694*=0x200) returned 1
[0206.760] WriteProcessMemory (in: hProcess=0x3cc, lpBaseAddress=0x401000, lpBuffer=0x34a99c8*, nSize=0x2d400, lpNumberOfBytesWritten=0x19e694 | out: lpBuffer=0x34a99c8*, lpNumberOfBytesWritten=0x19e694*=0x2d400) returned 1
[0206.778] WriteProcessMemory (in: hProcess=0x3cc, lpBaseAddress=0x2db008, lpBuffer=0x233f324*, nSize=0x4, lpNumberOfBytesWritten=0x19e694 | out: lpBuffer=0x233f324*, lpNumberOfBytesWritten=0x19e694*=0x4) returned 1
[0206.785] SetThreadContext (hThread=0x430, lpContext=0x233f04c*(ContextFlags=0x10002, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x0, SegFs=0x0, SegEs=0x0, SegDs=0x0, Edi=0x0, Esi=0x0, Ebx=0x2db000, Edx=0x0, Ecx=0x0, Eax=0x41f1a0, Ebp=0x0, Eip=0x0, SegCs=0x0, EFlags=0x0, Esp=0x0, SegSs=0x0, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1
[0206.786] ResumeThread (hThread=0x430) returned 0x1
[0206.837] CoGetContextToken (in: pToken=0x19ea10 | out: pToken=0x19ea10) returned 0x0
[0206.837] CObjectContext::QueryInterface () returned 0x0
[0206.837] CObjectContext::GetCurrentThreadType () returned 0x0
[0206.837] Release () returned 0x3
[0206.838] CoWaitForMultipleHandles (in: dwFlags=0x2, dwTimeout=0x13880, cHandles=0x1, pHandles=0x7f84b8*=0x14c, lpdwindex=0x19e8b4 | out: lpdwindex=0x19e8b4) returned 0x0
Thread:
id = 2
os_tid = 0xb74
Thread:
id = 3
os_tid = 0x188
Thread:
id = 4
os_tid = 0xd1c
[0107.837] CoGetContextToken (in: pToken=0x43cfc3c | out: pToken=0x43cfc3c) returned 0x800401f0
[0107.837] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0107.837] RoInitialize () returned 0x1
[0107.837] RoUninitialize () returned 0x0
[0138.367] CloseHandle (hObject=0x3d8) returned 1
[0138.367] CloseHandle (hObject=0x3f0) returned 1
[0138.367] CloseHandle (hObject=0x3d4) returned 1
[0138.367] CloseHandle (hObject=0x420) returned 1
[0138.367] CloseHandle (hObject=0x3d0) returned 1
[0138.368] CloseHandle (hObject=0x408) returned 1
[0138.368] CloseHandle (hObject=0x3cc) returned 1
[0138.368] CloseHandle (hObject=0x410) returned 1
[0138.368] CloseHandle (hObject=0x214) returned 1
[0138.369] CloseHandle (hObject=0x404) returned 1
[0138.369] CloseHandle (hObject=0x3ec) returned 1
[0138.369] CloseHandle (hObject=0x418) returned 1
[0138.369] CloseHandle (hObject=0x3e8) returned 1
[0138.369] CloseHandle (hObject=0x3fc) returned 1
[0138.370] CloseHandle (hObject=0x3e4) returned 1
[0138.370] CloseHandle (hObject=0x40c) returned 1
[0138.370] CloseHandle (hObject=0x3f8) returned 1
[0138.370] CloseHandle (hObject=0x41c) returned 1
[0138.370] CloseHandle (hObject=0x3e0) returned 1
[0138.371] CloseHandle (hObject=0x3f4) returned 1
[0138.371] CloseHandle (hObject=0x3dc) returned 1
[0138.371] CloseHandle (hObject=0x414) returned 1
[0206.170] GdipDisposeImage (image=0x5b4f570) returned 0x0
[0206.175] CloseHandle (hObject=0x500) returned 1
[0206.176] CloseHandle (hObject=0x4f8) returned 1
[0206.177] CloseHandle (hObject=0x4dc) returned 1
[0206.178] CloseHandle (hObject=0x3cc) returned 1
[0206.179] CloseHandle (hObject=0x430) returned 1
[0206.957] SetWindowLongW (hWnd=0x110338, nIndex=-4, dwNewLong=1954809824) returned 77792742
[0206.958] SetClassLongW (hWnd=0x110338, nIndex=-24, dwNewLong=1954809824) returned 0x4a305be
[0206.959] PostMessageW (hWnd=0x110338, Msg=0x10, wParam=0x0, lParam=0x0) returned 1
[0206.960] GetModuleHandleW (lpModuleName=0x0) returned 0x400000
[0206.961] UnregisterClassW (lpClassName="WindowsForms10.Window.8.app.0.141b42a_r10_ad1", hInstance=0x400000) returned 0
[0206.967] IsWindow (hWnd=0x20370) returned 1
[0206.970] GetModuleHandleW (lpModuleName="user32.dll") returned 0x750d0000
[0206.971] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x43cf9dc, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcWgjé\x06P\x8b «\x05lXü<\x04øy\x81", lpUsedDefaultChar=0x0) returned 14
[0206.971] GetProcAddress (hModule=0x750d0000, lpProcName="DefWindowProcW") returned 0x748407e0
[0206.972] SetWindowLongW (hWnd=0x20370, nIndex=-4, dwNewLong=1954809824) returned 77792822
[0206.972] SetClassLongW (hWnd=0x20370, nIndex=-24, dwNewLong=1954809824) returned 0x4a30636
[0206.972] IsWindow (hWnd=0x20370) returned 1
[0206.973] DestroyWindow (hWnd=0x20370) returned 0
[0206.973] PostMessageW (hWnd=0x20370, Msg=0x10, wParam=0x0, lParam=0x0) returned 1
[0206.974] SetConsoleCtrlHandler (HandlerRoutine=0x4a3060e, Add=0) returned 1
[0206.974] EtwEventUnregister (RegHandle=0x853488) returned 0x0
[0206.984] GdipDeleteFont (font=0x5b4f4d0) returned 0x0
[0206.985] GdipDeleteFont (font=0x5b4f4a8) returned 0x0
[0206.985] GdipDeleteFont (font=0x5b4f480) returned 0x0
[0206.986] GdipDeleteFont (font=0x5b4f458) returned 0x0
[0206.986] GdipDeleteFont (font=0x5b4f430) returned 0x0
[0206.986] GdipDeleteFont (font=0x5b4f408) returned 0x0
[0206.987] GdipDeleteFont (font=0x5b4f3e0) returned 0x0
[0206.987] GdipDeleteFont (font=0x5b4f3b8) returned 0x0
[0206.987] GdipDeleteFont (font=0x5b4b080) returned 0x0
[0206.987] GdipDeleteFont (font=0x49c1f08) returned 0x0
[0206.998] CloseThemeData () returned 0x0
[0207.003] GdipDeleteFont (font=0x5b4f548) returned 0x0
[0207.003] GdipDeleteFont (font=0x49cefc0) returned 0x0
[0207.004] GdipDeleteFont (font=0x5b4f520) returned 0x0
[0207.004] GdipDeleteFont (font=0x5b4f4f8) returned 0x0
[0207.008] CloseHandle (hObject=0x264) returned 1
[0207.019] RegCloseKey (hKey=0x80000004) returned 0x0
Thread:
id = 5
os_tid = 0x910
Thread:
id = 6
os_tid = 0x78c
Thread:
id = 7
os_tid = 0x748
Thread:
id = 8
os_tid = 0xfc8
Thread:
id = 9
os_tid = 0xedc
Thread:
id = 10
os_tid = 0x13d0
Thread:
id = 11
os_tid = 0xa68
Thread:
id = 106
os_tid = 0x1240
Process:
id = "2"
image_name = "powershell.exe"
filename = "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe"
page_root = "0x6d6f9000"
os_pid = "0xe70"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0xfd4"
cmd_line = "\"C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe\" Add-MpPreference -ExclusionPath \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 502
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 503
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 504
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 505
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 506
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 507
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 508
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 509
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 510
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 511
start_va = 0xc40000
end_va = 0xcb0fff
monitored = 0
entry_point = 0xc49c00
region_type = mapped_file
name = "powershell.exe"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\powershell.exe")
Region:
id = 512
start_va = 0xcc0000
end_va = 0x4cbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000cc0000"
filename = ""
Region:
id = 513
start_va = 0x77b90000
end_va = 0x77d0afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 514
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 515
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 516
start_va = 0x7fff0000
end_va = 0x7dfd504cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 517
start_va = 0x7dfd504d0000
end_va = 0x7ffd504cffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfd504d0000"
filename = ""
Region:
id = 518
start_va = 0x7ffd504d0000
end_va = 0x7ffd50690fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 519
start_va = 0x7ffd50691000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffd50691000"
filename = ""
Region:
id = 520
start_va = 0x5a0000
end_va = 0x5affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 521
start_va = 0x6edd0000
end_va = 0x6ee1ffff
monitored = 0
entry_point = 0x6ede8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 522
start_va = 0x6ee20000
end_va = 0x6ee99fff
monitored = 0
entry_point = 0x6ee33290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 523
start_va = 0x74f30000
end_va = 0x7500ffff
monitored = 0
entry_point = 0x74f43980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 524
start_va = 0x6eea0000
end_va = 0x6eea7fff
monitored = 0
entry_point = 0x6eea17c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 543
start_va = 0x400000
end_va = 0x54ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 544
start_va = 0x74f30000
end_va = 0x7500ffff
monitored = 0
entry_point = 0x74f43980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 545
start_va = 0x76ad0000
end_va = 0x76c4dfff
monitored = 0
entry_point = 0x76b81b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 546
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 547
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 724
start_va = 0x110000
end_va = 0x1cdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 725
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 726
start_va = 0x77b10000
end_va = 0x77b8afff
monitored = 0
entry_point = 0x77b2e970
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll")
Region:
id = 727
start_va = 0x74a10000
end_va = 0x74acdfff
monitored = 0
entry_point = 0x74a45630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 728
start_va = 0x400000
end_va = 0x43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 729
start_va = 0x450000
end_va = 0x54ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000450000"
filename = ""
Region:
id = 730
start_va = 0x550000
end_va = 0x58ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 731
start_va = 0x76c50000
end_va = 0x76c93fff
monitored = 0
entry_point = 0x76c69d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 732
start_va = 0x74e80000
end_va = 0x74f2cfff
monitored = 0
entry_point = 0x74e94f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 733
start_va = 0x748c0000
end_va = 0x748ddfff
monitored = 0
entry_point = 0x748cb640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 734
start_va = 0x748b0000
end_va = 0x748b9fff
monitored = 0
entry_point = 0x748b2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 735
start_va = 0x77680000
end_va = 0x776d7fff
monitored = 0
entry_point = 0x776c25c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 736
start_va = 0x74ad0000
end_va = 0x74bbafff
monitored = 0
entry_point = 0x74b0d650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 737
start_va = 0x752b0000
end_va = 0x7546cfff
monitored = 0
entry_point = 0x75392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 740
start_va = 0x6c710000
end_va = 0x6c727fff
monitored = 0
entry_point = 0x6c714820
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll")
Region:
id = 741
start_va = 0x77440000
end_va = 0x7758efff
monitored = 0
entry_point = 0x774f6820
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll")
Region:
id = 742
start_va = 0x750d0000
end_va = 0x75216fff
monitored = 0
entry_point = 0x750e1cf0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll")
Region:
id = 743
start_va = 0x74d80000
end_va = 0x74e11fff
monitored = 0
entry_point = 0x74db8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 744
start_va = 0x6cdf0000
end_va = 0x6ce48fff
monitored = 1
entry_point = 0x6ce00780
region_type = mapped_file
name = "mscoree.dll"
filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll")
Region:
id = 745
start_va = 0x5b0000
end_va = 0x75ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005b0000"
filename = ""
Region:
id = 746
start_va = 0x1d0000
end_va = 0x1f9fff
monitored = 0
entry_point = 0x1d5680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 747
start_va = 0x5b0000
end_va = 0x737fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005b0000"
filename = ""
Region:
id = 748
start_va = 0x750000
end_va = 0x75ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000750000"
filename = ""
Region:
id = 749
start_va = 0x75660000
end_va = 0x7568afff
monitored = 0
entry_point = 0x75665680
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll")
Region:
id = 750
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 751
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001d0000"
filename = ""
Region:
id = 752
start_va = 0x1e0000
end_va = 0x1e2fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "powershell.exe.mui"
filename = "\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\en-US\\powershell.exe.mui" (normalized: "c:\\windows\\syswow64\\windowspowershell\\v1.0\\en-us\\powershell.exe.mui")
Region:
id = 753
start_va = 0x760000
end_va = 0x8e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000760000"
filename = ""
Region:
id = 754
start_va = 0x4cc0000
end_va = 0x60bffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004cc0000"
filename = ""
Region:
id = 759
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 760
start_va = 0x440000
end_va = 0x440fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000440000"
filename = ""
Region:
id = 761
start_va = 0x8f0000
end_va = 0xa9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008f0000"
filename = ""
Region:
id = 765
start_va = 0x6ccc0000
end_va = 0x6cd38fff
monitored = 1
entry_point = 0x6cccf82a
region_type = mapped_file
name = "mscoreei.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll")
Region:
id = 768
start_va = 0x77590000
end_va = 0x775d4fff
monitored = 0
entry_point = 0x775ade90
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll")
Region:
id = 769
start_va = 0x77320000
end_va = 0x7732bfff
monitored = 0
entry_point = 0x77323930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 770
start_va = 0x6eeb0000
end_va = 0x6eeb7fff
monitored = 0
entry_point = 0x6eeb17b0
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll")
Region:
id = 771
start_va = 0x6c050000
end_va = 0x6c700fff
monitored = 1
entry_point = 0x6c065d20
region_type = mapped_file
name = "clr.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll")
Region:
id = 772
start_va = 0x6cbc0000
end_va = 0x6ccb4fff
monitored = 0
entry_point = 0x6cc14160
region_type = mapped_file
name = "msvcr120_clr0400.dll"
filename = "\\Windows\\SysWOW64\\msvcr120_clr0400.dll" (normalized: "c:\\windows\\syswow64\\msvcr120_clr0400.dll")
Region:
id = 1134
start_va = 0x590000
end_va = 0x590fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000590000"
filename = ""
Region:
id = 1135
start_va = 0x740000
end_va = 0x74ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000740000"
filename = ""
Region:
id = 1136
start_va = 0x8f0000
end_va = 0x8fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008f0000"
filename = ""
Region:
id = 1137
start_va = 0xa90000
end_va = 0xa9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a90000"
filename = ""
Region:
id = 1138
start_va = 0x900000
end_va = 0x90ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 1139
start_va = 0x910000
end_va = 0x91ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000910000"
filename = ""
Region:
id = 1140
start_va = 0x920000
end_va = 0x92ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000920000"
filename = ""
Region:
id = 1141
start_va = 0x930000
end_va = 0x93ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000930000"
filename = ""
Region:
id = 1142
start_va = 0x940000
end_va = 0x940fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000940000"
filename = ""
Region:
id = 1143
start_va = 0x950000
end_va = 0x950fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000950000"
filename = ""
Region:
id = 1144
start_va = 0x60c0000
end_va = 0x627ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000060c0000"
filename = ""
Region:
id = 1145
start_va = 0x960000
end_va = 0xa3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000960000"
filename = ""
Region:
id = 1146
start_va = 0x960000
end_va = 0x99ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000960000"
filename = ""
Region:
id = 1147
start_va = 0x9a0000
end_va = 0x9dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009a0000"
filename = ""
Region:
id = 1148
start_va = 0xa30000
end_va = 0xa3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a30000"
filename = ""
Region:
id = 1149
start_va = 0x9e0000
end_va = 0x9effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009e0000"
filename = ""
Region:
id = 1150
start_va = 0x6280000
end_va = 0x827ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006280000"
filename = ""
Region:
id = 1151
start_va = 0x9e0000
end_va = 0x9fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000009e0000"
filename = ""
Region:
id = 1152
start_va = 0xa40000
end_va = 0xa7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a40000"
filename = ""
Region:
id = 1153
start_va = 0xaa0000
end_va = 0xadffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000aa0000"
filename = ""
Region:
id = 1154
start_va = 0x8280000
end_va = 0x85b6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1155
start_va = 0x6ae20000
end_va = 0x6c047fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorlib.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\8062d427acd64e37f4fded7b00f4a869\\mscorlib.ni.dll")
Region:
id = 1156
start_va = 0x85c0000
end_va = 0x877ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000085c0000"
filename = ""
Region:
id = 1157
start_va = 0xa00000
end_va = 0xa0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a00000"
filename = ""
Region:
id = 1195
start_va = 0x6a470000
end_va = 0x6ae1bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\cc4e5d110dd318e8b7d61a9ed184ab74\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\cc4e5d110dd318e8b7d61a9ed184ab74\\system.ni.dll")
Region:
id = 1196
start_va = 0x69d50000
end_va = 0x6a461fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.core.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\abad45b9cc652ba7e38c4c837234c0ab\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\abad45b9cc652ba7e38c4c837234c0ab\\system.core.ni.dll")
Region:
id = 1197
start_va = 0x6cb30000
end_va = 0x6cbbafff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "microsoft.powershell.consolehost.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\Microsoft.PowerShell.ConsoleHost.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.pb378ec07#\\24c2ce3e0888a5f9c613c20443ec3711\\microsoft.powershell.consolehost.ni.dll")
Region:
id = 1198
start_va = 0x70770000
end_va = 0x70782fff
monitored = 0
entry_point = 0x70779950
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll")
Region:
id = 1199
start_va = 0x70740000
end_va = 0x7076efff
monitored = 0
entry_point = 0x707595e0
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll")
Region:
id = 1200
start_va = 0x74560000
end_va = 0x7457afff
monitored = 0
entry_point = 0x74569050
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll")
Region:
id = 1204
start_va = 0x684a0000
end_va = 0x69d4dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.automation.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Manaa57fc8cc#\\1ccb63704392d146fb118a3c7c02e118\\System.Management.Automation.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.manaa57fc8cc#\\1ccb63704392d146fb118a3c7c02e118\\system.management.automation.ni.dll")
Region:
id = 1205
start_va = 0xae0000
end_va = 0xb41fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "mscorrc.dll"
filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll")
Region:
id = 1206
start_va = 0xa10000
end_va = 0xa14fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll"
filename = "\\Windows\\SysWOW64\\winnlsres.dll" (normalized: "c:\\windows\\syswow64\\winnlsres.dll")
Region:
id = 1207
start_va = 0xa20000
end_va = 0xa2ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winnlsres.dll.mui")
Region:
id = 1208
start_va = 0x776e0000
end_va = 0x776e5fff
monitored = 0
entry_point = 0x776e1460
region_type = mapped_file
name = "psapi.dll"
filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll")
Region:
id = 1209
start_va = 0x60c0000
end_va = 0x61bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000060c0000"
filename = ""
Region:
id = 1210
start_va = 0x6270000
end_va = 0x627ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006270000"
filename = ""
Region:
id = 1211
start_va = 0x6cda0000
end_va = 0x6cde3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.numerics.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Numerics\\4d1e79f86c195a48bfb3d1e5ca404930\\System.Numerics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.numerics\\4d1e79f86c195a48bfb3d1e5ca404930\\system.numerics.ni.dll")
Region:
id = 1212
start_va = 0xa80000
end_va = 0xa8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a80000"
filename = ""
Region:
id = 1213
start_va = 0x6cab0000
end_va = 0x6cb29fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "microsoft.management.infrastructure.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.Mf49f6405#\\c5cf09a01c434d73a149336798330955\\Microsoft.Management.Infrastructure.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.mf49f6405#\\c5cf09a01c434d73a149336798330955\\microsoft.management.infrastructure.ni.dll")
Region:
id = 1214
start_va = 0x67d80000
end_va = 0x68495fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.xml.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\1f87b5140145c221b5201351fffc52d8\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\1f87b5140145c221b5201351fffc52d8\\system.xml.ni.dll")
Region:
id = 1215
start_va = 0xb50000
end_va = 0xb5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b50000"
filename = ""
Region:
id = 1216
start_va = 0x6c990000
end_va = 0x6caabfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.directoryservices.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dired13b18a9#\\495b4726107659a7a7f716d2b34703ce\\System.DirectoryServices.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dired13b18a9#\\495b4726107659a7a7f716d2b34703ce\\system.directoryservices.ni.dll")
Region:
id = 1217
start_va = 0x6c870000
end_va = 0x6c98bfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.management.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\d2f554a0c84513cd793fdcd77a86dab1\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\d2f554a0c84513cd793fdcd77a86dab1\\system.management.ni.dll")
Region:
id = 1218
start_va = 0xb60000
end_va = 0xb6ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b60000"
filename = ""
Region:
id = 1219
start_va = 0xb70000
end_va = 0xb7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b70000"
filename = ""
Region:
id = 1220
start_va = 0xb80000
end_va = 0xb8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b80000"
filename = ""
Region:
id = 1221
start_va = 0xb90000
end_va = 0xb9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000b90000"
filename = ""
Region:
id = 1222
start_va = 0xba0000
end_va = 0xbaffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000ba0000"
filename = ""
Region:
id = 1223
start_va = 0xbb0000
end_va = 0xbbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000bb0000"
filename = ""
Region:
id = 1224
start_va = 0xbc0000
end_va = 0xbcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000bc0000"
filename = ""
Region:
id = 1225
start_va = 0xbd0000
end_va = 0xbdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000bd0000"
filename = ""
Region:
id = 1226
start_va = 0xbe0000
end_va = 0xbeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000be0000"
filename = ""
Region:
id = 1227
start_va = 0xbf0000
end_va = 0xbfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000bf0000"
filename = ""
Region:
id = 1228
start_va = 0x6cd70000
end_va = 0x6cd95fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.configuration.install.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Confe64a9051#\\1ba9fabb6a4cb3c022579f789ba3280b\\System.Configuration.Install.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.confe64a9051#\\1ba9fabb6a4cb3c022579f789ba3280b\\system.configuration.install.ni.dll")
Region:
id = 1229
start_va = 0x6c7c0000
end_va = 0x6c86dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.transactions.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Transactions\\8a03e2886313defa91cef9f385480f4e\\System.Transactions.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.transactions\\8a03e2886313defa91cef9f385480f4e\\system.transactions.ni.dll")
Region:
id = 1230
start_va = 0x6c770000
end_va = 0x6c7bafff
monitored = 1
entry_point = 0x6c78f53e
region_type = mapped_file
name = "system.transactions.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll")
Region:
id = 1231
start_va = 0x61c0000
end_va = 0x620afff
monitored = 1
entry_point = 0x61df53e
region_type = mapped_file
name = "system.transactions.dll"
filename = "\\Windows\\Microsoft.NET\\assembly\\GAC_32\\System.Transactions\\v4.0_4.0.0.0__b77a5c561934e089\\System.Transactions.dll" (normalized: "c:\\windows\\microsoft.net\\assembly\\gac_32\\system.transactions\\v4.0_4.0.0.0__b77a5c561934e089\\system.transactions.dll")
Region:
id = 1232
start_va = 0x6c760000
end_va = 0x6c764fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "system.diagnostics.tracing.ni.dll"
filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Diagd2d95910#\\00f2884f94840274aeab684b7683f0fb\\System.Diagnostics.Tracing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.diagd2d95910#\\00f2884f94840274aeab684b7683f0fb\\system.diagnostics.tracing.ni.dll")
Region:
id = 1233
start_va = 0x75690000
end_va = 0x76a8efff
monitored = 0
entry_point = 0x7584b990
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll")
Region:
id = 1234
start_va = 0x76a90000
end_va = 0x76ac6fff
monitored = 0
entry_point = 0x76a93b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll")
Region:
id = 1235
start_va = 0x76e20000
end_va = 0x77318fff
monitored = 0
entry_point = 0x77027610
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\SysWOW64\\windows.storage.dll" (normalized: "c:\\windows\\syswow64\\windows.storage.dll")
Region:
id = 1236
start_va = 0x775e0000
end_va = 0x7766cfff
monitored = 0
entry_point = 0x77629b90
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\SysWOW64\\SHCore.dll" (normalized: "c:\\windows\\syswow64\\shcore.dll")
Region:
id = 1237
start_va = 0x74e20000
end_va = 0x74e63fff
monitored = 0
entry_point = 0x74e27410
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\SysWOW64\\powrprof.dll" (normalized: "c:\\windows\\syswow64\\powrprof.dll")
Region:
id = 1238
start_va = 0x77670000
end_va = 0x7767efff
monitored = 0
entry_point = 0x77672e40
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll")
Region:
id = 1239
start_va = 0xc00000
end_va = 0xc00fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000c00000"
filename = ""
Region:
id = 1240
start_va = 0xc10000
end_va = 0xc10fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll")
Region:
id = 1241
start_va = 0xc10000
end_va = 0xc18fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui")
Region:
id = 1242
start_va = 0xc10000
end_va = 0xc10fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll")
Region:
id = 1243
start_va = 0xc10000
end_va = 0xc18fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui")
Region:
id = 1244
start_va = 0xc10000
end_va = 0xc10fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll"
filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll")
Region:
id = 1245
start_va = 0xc10000
end_va = 0xc18fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "tzres.dll.mui"
filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui")
Thread:
id = 12
os_tid = 0x1214
Thread:
id = 23
os_tid = 0xcd8
Thread:
id = 103
os_tid = 0xddc
Thread:
id = 104
os_tid = 0x12b8
Process:
id = "3"
image_name = "schtasks.exe"
filename = "c:\\windows\\syswow64\\schtasks.exe"
page_root = "0x6d60f000"
os_pid = "0xefc"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0xfd4"
cmd_line = "\"C:\\Windows\\System32\\schtasks.exe\" /Create /TN \"Updates\\KHDScDG\" /XML \"C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 525
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 526
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 527
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 528
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 529
start_va = 0xa0000
end_va = 0xdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 530
start_va = 0xe0000
end_va = 0xe3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 531
start_va = 0xf0000
end_va = 0xf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000f0000"
filename = ""
Region:
id = 532
start_va = 0x100000
end_va = 0x101fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000100000"
filename = ""
Region:
id = 533
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 534
start_va = 0xc70000
end_va = 0xca1fff
monitored = 1
entry_point = 0xc905b0
region_type = mapped_file
name = "schtasks.exe"
filename = "\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")
Region:
id = 535
start_va = 0xcb0000
end_va = 0x4caffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000cb0000"
filename = ""
Region:
id = 536
start_va = 0x77b90000
end_va = 0x77d0afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 537
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 538
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 539
start_va = 0x7fff0000
end_va = 0x7dfd504cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 540
start_va = 0x7dfd504d0000
end_va = 0x7ffd504cffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007dfd504d0000"
filename = ""
Region:
id = 541
start_va = 0x7ffd504d0000
end_va = 0x7ffd50690fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 542
start_va = 0x7ffd50691000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffd50691000"
filename = ""
Region:
id = 581
start_va = 0x530000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000530000"
filename = ""
Region:
id = 582
start_va = 0x6edd0000
end_va = 0x6ee1ffff
monitored = 0
entry_point = 0x6ede8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 583
start_va = 0x6ee20000
end_va = 0x6ee99fff
monitored = 0
entry_point = 0x6ee33290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 584
start_va = 0x74f30000
end_va = 0x7500ffff
monitored = 0
entry_point = 0x74f43980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 585
start_va = 0x6eea0000
end_va = 0x6eea7fff
monitored = 0
entry_point = 0x6eea17c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 586
start_va = 0x540000
end_va = 0x6affff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 587
start_va = 0x74f30000
end_va = 0x7500ffff
monitored = 0
entry_point = 0x74f43980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 588
start_va = 0x76ad0000
end_va = 0x76c4dfff
monitored = 0
entry_point = 0x76b81b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 589
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 590
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 712
start_va = 0x110000
end_va = 0x1cdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 713
start_va = 0x20000
end_va = 0x23fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 714
start_va = 0x74a10000
end_va = 0x74acdfff
monitored = 0
entry_point = 0x74a45630
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll")
Region:
id = 715
start_va = 0x400000
end_va = 0x43ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 716
start_va = 0x440000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000440000"
filename = ""
Region:
id = 717
start_va = 0x74d80000
end_va = 0x74e11fff
monitored = 0
entry_point = 0x74db8cf0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll")
Region:
id = 718
start_va = 0x752b0000
end_va = 0x7546cfff
monitored = 0
entry_point = 0x75392a10
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\SysWOW64\\combase.dll" (normalized: "c:\\windows\\syswow64\\combase.dll")
Region:
id = 719
start_va = 0x74e80000
end_va = 0x74f2cfff
monitored = 0
entry_point = 0x74e94f00
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll")
Region:
id = 720
start_va = 0x748c0000
end_va = 0x748ddfff
monitored = 0
entry_point = 0x748cb640
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll")
Region:
id = 721
start_va = 0x748b0000
end_va = 0x748b9fff
monitored = 0
entry_point = 0x748b2a00
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll")
Region:
id = 722
start_va = 0x77680000
end_va = 0x776d7fff
monitored = 0
entry_point = 0x776c25c0
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll")
Region:
id = 723
start_va = 0x76c50000
end_va = 0x76c93fff
monitored = 0
entry_point = 0x76c69d80
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll")
Region:
id = 738
start_va = 0x6b0000
end_va = 0x79ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006b0000"
filename = ""
Region:
id = 739
start_va = 0x7a0000
end_va = 0x889fff
monitored = 0
entry_point = 0x7dd650
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll")
Region:
id = 755
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 756
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001d0000"
filename = ""
Region:
id = 757
start_va = 0x7a0000
end_va = 0xb9afff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007a0000"
filename = ""
Region:
id = 758
start_va = 0x4cb0000
end_va = 0x4fe6fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 762
start_va = 0x77320000
end_va = 0x7732bfff
monitored = 0
entry_point = 0x77323930
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\SysWOW64\\kernel.appcore.dll" (normalized: "c:\\windows\\syswow64\\kernel.appcore.dll")
Region:
id = 763
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 764
start_va = 0x75220000
end_va = 0x752a3fff
monitored = 0
entry_point = 0x75246220
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll")
Region:
id = 766
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 767
start_va = 0x686f0000
end_va = 0x6877bfff
monitored = 0
entry_point = 0x6872a6c0
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\SysWOW64\\taskschd.dll" (normalized: "c:\\windows\\syswow64\\taskschd.dll")
Thread:
id = 13
os_tid = 0xee8
[0202.216] GetModuleHandleA (lpModuleName=0x0) returned 0xc70000
[0202.216] __set_app_type (_Type=0x1)
[0202.216] __p__fmode () returned 0x74ac4d6c
[0202.216] __p__commode () returned 0x74ac5b1c
[0202.217] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xc90840) returned 0x0
[0202.217] __wgetmainargs (in: _Argc=0xc9ade0, _Argv=0xc9ade4, _Env=0xc9ade8, _DoWildCard=0, _StartInfo=0xc9adf4 | out: _Argc=0xc9ade0, _Argv=0xc9ade4, _Env=0xc9ade8) returned 0
[0202.218] _onexit (_Func=0xc92bc0) returned 0xc92bc0
[0202.218] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1
[0202.218] WinSqmIsOptedIn () returned 0x0
[0202.218] GetProcessHeap () returned 0x5b0000
[0202.218] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b7730
[0202.218] RtlRestoreLastWin32Error () returned 0x0
[0202.218] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0202.218] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0202.218] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0202.219] RtlVerifyVersionInfo (VersionInfo=0xdf9f8, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b7700
[0202.219] lstrlenW (lpString="") returned 0
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x2) returned 0x5b0598
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b6e38
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b7718
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b6c00
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b6c20
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b6c40
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b6830
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b7568
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b6850
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b6870
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.219] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b65c8
[0202.219] GetProcessHeap () returned 0x5b0000
[0202.220] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b65e8
[0202.220] GetProcessHeap () returned 0x5b0000
[0202.220] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b76b8
[0202.220] GetProcessHeap () returned 0x5b0000
[0202.220] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b6608
[0202.220] GetProcessHeap () returned 0x5b0000
[0202.220] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b2778
[0202.220] GetProcessHeap () returned 0x5b0000
[0202.220] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b2798
[0202.220] GetProcessHeap () returned 0x5b0000
[0202.220] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b27b8
[0202.220] SetThreadUILanguage (LangId=0x0) returned 0x409
[0202.682] RtlRestoreLastWin32Error () returned 0x0
[0202.682] GetProcessHeap () returned 0x5b0000
[0202.682] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b94d8
[0202.682] GetProcessHeap () returned 0x5b0000
[0202.683] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b93b8
[0202.683] GetProcessHeap () returned 0x5b0000
[0202.683] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9438
[0202.683] GetProcessHeap () returned 0x5b0000
[0202.683] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b93f8
[0202.683] GetProcessHeap () returned 0x5b0000
[0202.683] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b95b8
[0202.683] GetProcessHeap () returned 0x5b0000
[0202.683] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b75f8
[0202.683] _memicmp (_Buf1=0x5b75f8, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.683] GetProcessHeap () returned 0x5b0000
[0202.683] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x208) returned 0x5b8cd0
[0202.683] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b8cd0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0202.683] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdfb04 | out: lpdwHandle=0xdfb04) returned 0x76c
[0202.686] GetProcessHeap () returned 0x5b0000
[0202.686] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x776) returned 0x5b9da8
[0202.686] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x5b9da8 | out: lpData=0x5b9da8) returned 1
[0202.687] VerQueryValueW (in: pBlock=0x5b9da8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdfb0c, puLen=0xdfb10 | out: lplpBuffer=0xdfb0c*=0x5ba158, puLen=0xdfb10) returned 1
[0202.690] _memicmp (_Buf1=0x5b75f8, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.690] _vsnwprintf (in: _Buffer=0x5b8cd0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdfaf0 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0202.691] VerQueryValueW (in: pBlock=0x5b9da8, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdfb1c, puLen=0xdfb18 | out: lplpBuffer=0xdfb1c*=0x5b9f88, puLen=0xdfb18) returned 1
[0202.691] lstrlenW (lpString="schtasks.exe") returned 12
[0202.691] lstrlenW (lpString="schtasks.exe") returned 12
[0202.691] lstrlenW (lpString=".EXE") returned 4
[0202.691] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0202.692] lstrlenW (lpString="schtasks.exe") returned 12
[0202.692] lstrlenW (lpString=".EXE") returned 4
[0202.692] _memicmp (_Buf1=0x5b75f8, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.692] lstrlenW (lpString="schtasks") returned 8
[0202.692] GetProcessHeap () returned 0x5b0000
[0202.692] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b94b8
[0202.692] GetProcessHeap () returned 0x5b0000
[0202.692] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9518
[0202.692] GetProcessHeap () returned 0x5b0000
[0202.692] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9418
[0202.692] GetProcessHeap () returned 0x5b0000
[0202.692] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9458
[0202.692] GetProcessHeap () returned 0x5b0000
[0202.692] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b7580
[0202.692] _memicmp (_Buf1=0x5b7580, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.692] GetProcessHeap () returned 0x5b0000
[0202.692] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0xa0) returned 0x5b69d0
[0202.692] GetProcessHeap () returned 0x5b0000
[0202.692] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9378
[0202.692] GetProcessHeap () returned 0x5b0000
[0202.692] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9478
[0202.693] GetProcessHeap () returned 0x5b0000
[0202.693] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b95f8
[0202.693] GetProcessHeap () returned 0x5b0000
[0202.693] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b7688
[0202.693] _memicmp (_Buf1=0x5b7688, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.693] GetProcessHeap () returned 0x5b0000
[0202.693] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x200) returned 0x5ba788
[0202.693] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x5ba788, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0202.693] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0202.693] GetProcessHeap () returned 0x5b0000
[0202.693] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x30) returned 0x5b6a78
[0202.693] _vsnwprintf (in: _Buffer=0x5b69d0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdfaf4 | out: _Buffer="Type \"SCHTASKS /?\" for usage.") returned 29
[0202.694] GetProcessHeap () returned 0x5b0000
[0202.694] GetProcessHeap () returned 0x5b0000
[0202.694] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9da8) returned 1
[0202.694] GetProcessHeap () returned 0x5b0000
[0202.694] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9da8) returned 0x776
[0202.694] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9da8) returned 1
[0202.694] RtlRestoreLastWin32Error () returned 0x0
[0202.694] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.695] lstrlenW (lpString="?") returned 1
[0202.695] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.695] lstrlenW (lpString="create") returned 6
[0202.695] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.695] lstrlenW (lpString="delete") returned 6
[0202.695] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.695] lstrlenW (lpString="query") returned 5
[0202.695] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.695] lstrlenW (lpString="change") returned 6
[0202.695] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.695] lstrlenW (lpString="run") returned 3
[0202.695] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.695] lstrlenW (lpString="end") returned 3
[0202.695] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.695] lstrlenW (lpString="showsid") returned 7
[0202.695] GetThreadLocale () returned 0x409
[0202.695] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.696] RtlRestoreLastWin32Error () returned 0x0
[0202.696] RtlRestoreLastWin32Error () returned 0x0
[0202.696] lstrlenW (lpString="/Create") returned 7
[0202.696] lstrlenW (lpString="-/") returned 2
[0202.696] StrChrIW (lpStart="-/", wMatch=0x79002f) returned="/"
[0202.696] lstrlenW (lpString="?") returned 1
[0202.696] lstrlenW (lpString="?") returned 1
[0202.696] GetProcessHeap () returned 0x5b0000
[0202.696] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b7598
[0202.696] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.696] GetProcessHeap () returned 0x5b0000
[0202.696] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0xa) returned 0x5b75e0
[0202.696] lstrlenW (lpString="Create") returned 6
[0202.696] GetProcessHeap () returned 0x5b0000
[0202.696] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b76d0
[0202.696] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.696] GetProcessHeap () returned 0x5b0000
[0202.696] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9618
[0202.696] _vsnwprintf (in: _Buffer=0x5b75e0, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0202.696] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|Create|") returned 8
[0202.696] lstrlenW (lpString="|?|") returned 3
[0202.696] lstrlenW (lpString="|Create|") returned 8
[0202.696] RtlRestoreLastWin32Error () returned 0x490
[0202.696] lstrlenW (lpString="create") returned 6
[0202.697] lstrlenW (lpString="create") returned 6
[0202.697] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.697] GetProcessHeap () returned 0x5b0000
[0202.697] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b75e0) returned 1
[0202.697] GetProcessHeap () returned 0x5b0000
[0202.697] RtlReAllocateHeap (Heap=0x5b0000, Flags=0xc, Ptr=0x5b75e0, Size=0x14) returned 0x5b9498
[0202.697] lstrlenW (lpString="Create") returned 6
[0202.697] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.697] _vsnwprintf (in: _Buffer=0x5b9498, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0202.697] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|Create|") returned 8
[0202.697] lstrlenW (lpString="|create|") returned 8
[0202.697] lstrlenW (lpString="|Create|") returned 8
[0202.697] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0202.697] RtlRestoreLastWin32Error () returned 0x0
[0202.697] RtlRestoreLastWin32Error () returned 0x0
[0202.697] RtlRestoreLastWin32Error () returned 0x0
[0202.697] lstrlenW (lpString="/TN") returned 3
[0202.698] lstrlenW (lpString="-/") returned 2
[0202.698] StrChrIW (lpStart="-/", wMatch=0x79002f) returned="/"
[0202.698] lstrlenW (lpString="?") returned 1
[0202.698] lstrlenW (lpString="?") returned 1
[0202.698] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.698] lstrlenW (lpString="TN") returned 2
[0202.698] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.698] _vsnwprintf (in: _Buffer=0x5b9498, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0202.698] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.698] lstrlenW (lpString="|?|") returned 3
[0202.698] lstrlenW (lpString="|TN|") returned 4
[0202.698] RtlRestoreLastWin32Error () returned 0x490
[0202.698] lstrlenW (lpString="create") returned 6
[0202.698] lstrlenW (lpString="create") returned 6
[0202.698] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.698] lstrlenW (lpString="TN") returned 2
[0202.698] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.698] _vsnwprintf (in: _Buffer=0x5b9498, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0202.698] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.698] lstrlenW (lpString="|create|") returned 8
[0202.698] lstrlenW (lpString="|TN|") returned 4
[0202.699] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0202.699] RtlRestoreLastWin32Error () returned 0x490
[0202.699] lstrlenW (lpString="delete") returned 6
[0202.699] lstrlenW (lpString="delete") returned 6
[0202.699] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.699] lstrlenW (lpString="TN") returned 2
[0202.699] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.699] _vsnwprintf (in: _Buffer=0x5b9498, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0202.699] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.699] lstrlenW (lpString="|delete|") returned 8
[0202.699] lstrlenW (lpString="|TN|") returned 4
[0202.699] StrStrIW (lpFirst="|delete|", lpSrch="|TN|") returned 0x0
[0202.699] RtlRestoreLastWin32Error () returned 0x490
[0202.699] lstrlenW (lpString="query") returned 5
[0202.699] lstrlenW (lpString="query") returned 5
[0202.699] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.699] lstrlenW (lpString="TN") returned 2
[0202.699] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.699] _vsnwprintf (in: _Buffer=0x5b9498, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0202.699] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.699] lstrlenW (lpString="|query|") returned 7
[0202.700] lstrlenW (lpString="|TN|") returned 4
[0202.700] StrStrIW (lpFirst="|query|", lpSrch="|TN|") returned 0x0
[0202.700] RtlRestoreLastWin32Error () returned 0x490
[0202.700] lstrlenW (lpString="change") returned 6
[0202.700] lstrlenW (lpString="change") returned 6
[0202.700] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.700] lstrlenW (lpString="TN") returned 2
[0202.700] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.700] _vsnwprintf (in: _Buffer=0x5b9498, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0202.700] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.700] lstrlenW (lpString="|change|") returned 8
[0202.700] lstrlenW (lpString="|TN|") returned 4
[0202.700] StrStrIW (lpFirst="|change|", lpSrch="|TN|") returned 0x0
[0202.700] RtlRestoreLastWin32Error () returned 0x490
[0202.700] lstrlenW (lpString="run") returned 3
[0202.700] lstrlenW (lpString="run") returned 3
[0202.700] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.700] lstrlenW (lpString="TN") returned 2
[0202.700] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.700] _vsnwprintf (in: _Buffer=0x5b9498, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0202.700] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.701] lstrlenW (lpString="|run|") returned 5
[0202.701] lstrlenW (lpString="|TN|") returned 4
[0202.701] StrStrIW (lpFirst="|run|", lpSrch="|TN|") returned 0x0
[0202.701] RtlRestoreLastWin32Error () returned 0x490
[0202.701] lstrlenW (lpString="end") returned 3
[0202.701] lstrlenW (lpString="end") returned 3
[0202.701] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.701] lstrlenW (lpString="TN") returned 2
[0202.701] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.701] _vsnwprintf (in: _Buffer=0x5b9498, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0202.701] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.701] lstrlenW (lpString="|end|") returned 5
[0202.701] lstrlenW (lpString="|TN|") returned 4
[0202.701] StrStrIW (lpFirst="|end|", lpSrch="|TN|") returned 0x0
[0202.701] RtlRestoreLastWin32Error () returned 0x490
[0202.701] lstrlenW (lpString="showsid") returned 7
[0202.701] lstrlenW (lpString="showsid") returned 7
[0202.701] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.701] GetProcessHeap () returned 0x5b0000
[0202.701] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9498) returned 1
[0202.701] GetProcessHeap () returned 0x5b0000
[0202.701] RtlReAllocateHeap (Heap=0x5b0000, Flags=0xc, Ptr=0x5b9498, Size=0x16) returned 0x5b9358
[0202.702] lstrlenW (lpString="TN") returned 2
[0202.702] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.702] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0202.702] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|TN|") returned 4
[0202.702] lstrlenW (lpString="|showsid|") returned 9
[0202.702] lstrlenW (lpString="|TN|") returned 4
[0202.702] StrStrIW (lpFirst="|showsid|", lpSrch="|TN|") returned 0x0
[0202.702] RtlRestoreLastWin32Error () returned 0x490
[0202.702] RtlRestoreLastWin32Error () returned 0x490
[0202.702] RtlRestoreLastWin32Error () returned 0x0
[0202.702] lstrlenW (lpString="/TN") returned 3
[0202.702] StrChrIW (lpStart="/TN", wMatch=0x3a) returned 0x0
[0202.702] RtlRestoreLastWin32Error () returned 0x490
[0202.702] RtlRestoreLastWin32Error () returned 0x0
[0202.702] lstrlenW (lpString="/TN") returned 3
[0202.702] GetProcessHeap () returned 0x5b0000
[0202.702] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x8) returned 0x5b6c60
[0202.702] GetProcessHeap () returned 0x5b0000
[0202.702] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9498
[0202.703] RtlRestoreLastWin32Error () returned 0x0
[0202.703] RtlRestoreLastWin32Error () returned 0x0
[0202.703] lstrlenW (lpString="Updates\\KHDScDG") returned 15
[0202.703] lstrlenW (lpString="-/") returned 2
[0202.703] StrChrIW (lpStart="-/", wMatch=0x790055) returned 0x0
[0202.703] RtlRestoreLastWin32Error () returned 0x490
[0202.703] RtlRestoreLastWin32Error () returned 0x490
[0202.703] RtlRestoreLastWin32Error () returned 0x0
[0202.703] lstrlenW (lpString="Updates\\KHDScDG") returned 15
[0202.703] StrChrIW (lpStart="Updates\\KHDScDG", wMatch=0x3a) returned 0x0
[0202.703] RtlRestoreLastWin32Error () returned 0x490
[0202.703] RtlRestoreLastWin32Error () returned 0x0
[0202.703] lstrlenW (lpString="Updates\\KHDScDG") returned 15
[0202.703] GetProcessHeap () returned 0x5b0000
[0202.703] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x20) returned 0x5b6ab0
[0202.703] GetProcessHeap () returned 0x5b0000
[0202.703] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b94f8
[0202.703] RtlRestoreLastWin32Error () returned 0x0
[0202.703] RtlRestoreLastWin32Error () returned 0x0
[0202.703] lstrlenW (lpString="/XML") returned 4
[0202.703] lstrlenW (lpString="-/") returned 2
[0202.703] StrChrIW (lpStart="-/", wMatch=0x79002f) returned="/"
[0202.703] lstrlenW (lpString="?") returned 1
[0202.703] lstrlenW (lpString="?") returned 1
[0202.703] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.704] lstrlenW (lpString="XML") returned 3
[0202.704] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.704] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|?|") returned 3
[0202.704] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.704] lstrlenW (lpString="|?|") returned 3
[0202.704] lstrlenW (lpString="|XML|") returned 5
[0202.704] RtlRestoreLastWin32Error () returned 0x490
[0202.704] lstrlenW (lpString="create") returned 6
[0202.704] lstrlenW (lpString="create") returned 6
[0202.704] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.704] lstrlenW (lpString="XML") returned 3
[0202.704] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.704] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|create|") returned 8
[0202.704] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.704] lstrlenW (lpString="|create|") returned 8
[0202.704] lstrlenW (lpString="|XML|") returned 5
[0202.704] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0202.704] RtlRestoreLastWin32Error () returned 0x490
[0202.704] lstrlenW (lpString="delete") returned 6
[0202.704] lstrlenW (lpString="delete") returned 6
[0202.704] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.704] lstrlenW (lpString="XML") returned 3
[0202.704] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.705] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|delete|") returned 8
[0202.705] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.705] lstrlenW (lpString="|delete|") returned 8
[0202.705] lstrlenW (lpString="|XML|") returned 5
[0202.705] StrStrIW (lpFirst="|delete|", lpSrch="|XML|") returned 0x0
[0202.705] RtlRestoreLastWin32Error () returned 0x490
[0202.705] lstrlenW (lpString="query") returned 5
[0202.705] lstrlenW (lpString="query") returned 5
[0202.705] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.705] lstrlenW (lpString="XML") returned 3
[0202.705] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.705] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x8, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|query|") returned 7
[0202.705] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.705] lstrlenW (lpString="|query|") returned 7
[0202.705] lstrlenW (lpString="|XML|") returned 5
[0202.706] StrStrIW (lpFirst="|query|", lpSrch="|XML|") returned 0x0
[0202.706] RtlRestoreLastWin32Error () returned 0x490
[0202.706] lstrlenW (lpString="change") returned 6
[0202.706] lstrlenW (lpString="change") returned 6
[0202.706] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.706] lstrlenW (lpString="XML") returned 3
[0202.706] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.706] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|change|") returned 8
[0202.706] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.706] lstrlenW (lpString="|change|") returned 8
[0202.706] lstrlenW (lpString="|XML|") returned 5
[0202.706] StrStrIW (lpFirst="|change|", lpSrch="|XML|") returned 0x0
[0202.706] RtlRestoreLastWin32Error () returned 0x490
[0202.706] lstrlenW (lpString="run") returned 3
[0202.707] lstrlenW (lpString="run") returned 3
[0202.707] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.707] lstrlenW (lpString="XML") returned 3
[0202.707] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.707] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|run|") returned 5
[0202.707] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.707] lstrlenW (lpString="|run|") returned 5
[0202.707] lstrlenW (lpString="|XML|") returned 5
[0202.707] StrStrIW (lpFirst="|run|", lpSrch="|XML|") returned 0x0
[0202.707] RtlRestoreLastWin32Error () returned 0x490
[0202.707] lstrlenW (lpString="end") returned 3
[0202.707] lstrlenW (lpString="end") returned 3
[0202.707] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.707] lstrlenW (lpString="XML") returned 3
[0202.707] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.707] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|end|") returned 5
[0202.707] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.708] lstrlenW (lpString="|end|") returned 5
[0202.708] lstrlenW (lpString="|XML|") returned 5
[0202.708] StrStrIW (lpFirst="|end|", lpSrch="|XML|") returned 0x0
[0202.708] RtlRestoreLastWin32Error () returned 0x490
[0202.708] lstrlenW (lpString="showsid") returned 7
[0202.708] lstrlenW (lpString="showsid") returned 7
[0202.708] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.708] lstrlenW (lpString="XML") returned 3
[0202.708] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.708] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0xa, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|showsid|") returned 9
[0202.708] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdfae0 | out: _Buffer="|XML|") returned 5
[0202.708] lstrlenW (lpString="|showsid|") returned 9
[0202.708] lstrlenW (lpString="|XML|") returned 5
[0202.708] StrStrIW (lpFirst="|showsid|", lpSrch="|XML|") returned 0x0
[0202.708] RtlRestoreLastWin32Error () returned 0x490
[0202.708] RtlRestoreLastWin32Error () returned 0x490
[0202.708] RtlRestoreLastWin32Error () returned 0x0
[0202.708] lstrlenW (lpString="/XML") returned 4
[0202.708] StrChrIW (lpStart="/XML", wMatch=0x3a) returned 0x0
[0202.708] RtlRestoreLastWin32Error () returned 0x490
[0202.708] RtlRestoreLastWin32Error () returned 0x0
[0202.708] lstrlenW (lpString="/XML") returned 4
[0202.709] GetProcessHeap () returned 0x5b0000
[0202.709] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0xa) returned 0x5b76e8
[0202.709] GetProcessHeap () returned 0x5b0000
[0202.709] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b96d8
[0202.709] RtlRestoreLastWin32Error () returned 0x0
[0202.709] RtlRestoreLastWin32Error () returned 0x0
[0202.709] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.709] lstrlenW (lpString="-/") returned 2
[0202.709] StrChrIW (lpStart="-/", wMatch=0x790043) returned 0x0
[0202.709] RtlRestoreLastWin32Error () returned 0x490
[0202.709] RtlRestoreLastWin32Error () returned 0x490
[0202.709] RtlRestoreLastWin32Error () returned 0x0
[0202.709] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.709] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp"
[0202.709] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.709] GetProcessHeap () returned 0x5b0000
[0202.709] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5b75e0
[0202.709] _memicmp (_Buf1=0x5b75e0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.709] GetProcessHeap () returned 0x5b0000
[0202.710] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0xc) returned 0x5b7610
[0202.710] GetProcessHeap () returned 0x5b0000
[0202.710] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5babe8
[0202.710] _memicmp (_Buf1=0x5babe8, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.710] GetProcessHeap () returned 0x5b0000
[0202.710] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x6e) returned 0x5b70c0
[0202.710] RtlRestoreLastWin32Error () returned 0x7a
[0202.710] RtlRestoreLastWin32Error () returned 0x0
[0202.710] RtlRestoreLastWin32Error () returned 0x0
[0202.710] lstrlenW (lpString="C") returned 1
[0202.710] RtlRestoreLastWin32Error () returned 0x490
[0202.710] RtlRestoreLastWin32Error () returned 0x0
[0202.710] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.710] GetProcessHeap () returned 0x5b0000
[0202.710] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x6a) returned 0x5bad98
[0202.710] GetProcessHeap () returned 0x5b0000
[0202.710] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9638
[0202.710] RtlRestoreLastWin32Error () returned 0x0
[0202.710] GetProcessHeap () returned 0x5b0000
[0202.710] GetProcessHeap () returned 0x5b0000
[0202.710] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6c60) returned 1
[0202.710] GetProcessHeap () returned 0x5b0000
[0202.710] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6c60) returned 0x8
[0202.711] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6c60) returned 1
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9498) returned 1
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9498) returned 0x14
[0202.711] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9498) returned 1
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6ab0) returned 1
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6ab0) returned 0x20
[0202.711] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6ab0) returned 1
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b94f8) returned 1
[0202.711] GetProcessHeap () returned 0x5b0000
[0202.711] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b94f8) returned 0x14
[0202.712] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b94f8) returned 1
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b76e8) returned 1
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b76e8) returned 0xa
[0202.712] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b76e8) returned 1
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b96d8) returned 1
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b96d8) returned 0x14
[0202.712] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b96d8) returned 1
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5bad98) returned 1
[0202.712] GetProcessHeap () returned 0x5b0000
[0202.712] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5bad98) returned 0x6a
[0202.713] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bad98) returned 1
[0202.713] GetProcessHeap () returned 0x5b0000
[0202.713] GetProcessHeap () returned 0x5b0000
[0202.713] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9638) returned 1
[0202.713] GetProcessHeap () returned 0x5b0000
[0202.713] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9638) returned 0x14
[0202.713] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9638) returned 1
[0202.713] GetProcessHeap () returned 0x5b0000
[0202.713] GetProcessHeap () returned 0x5b0000
[0202.713] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b7730) returned 1
[0202.713] GetProcessHeap () returned 0x5b0000
[0202.713] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b7730) returned 0x10
[0202.713] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7730) returned 1
[0202.714] RtlRestoreLastWin32Error () returned 0x0
[0202.714] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x0, Condition=0x2) returned 0x18
[0202.714] VerSetConditionMask (ConditionMask=0x18, TypeMask=0x80000000, Condition=0x1) returned 0x1b
[0202.714] VerSetConditionMask (ConditionMask=0x1b, TypeMask=0x80000000, Condition=0x20) returned 0x1801b
[0202.714] RtlVerifyVersionInfo (VersionInfo=0xdce60, TypeMask=0x3, ConditionMask=0x1801b) returned 0x0
[0202.714] RtlRestoreLastWin32Error () returned 0x0
[0202.714] lstrlenW (lpString="create") returned 6
[0202.714] StrChrIW (lpStart="create", wMatch=0x7c) returned 0x0
[0202.714] RtlRestoreLastWin32Error () returned 0x490
[0202.714] RtlRestoreLastWin32Error () returned 0x0
[0202.714] lstrlenW (lpString="create") returned 6
[0202.714] GetProcessHeap () returned 0x5b0000
[0202.714] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9498
[0202.714] GetProcessHeap () returned 0x5b0000
[0202.714] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x10) returned 0x5baab0
[0202.714] _memicmp (_Buf1=0x5baab0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.714] GetProcessHeap () returned 0x5b0000
[0202.714] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x16) returned 0x5b9538
[0202.714] RtlRestoreLastWin32Error () returned 0x0
[0202.714] _memicmp (_Buf1=0x5b75f8, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.715] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x5b8cd0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\schtasks.exe" (normalized: "c:\\windows\\syswow64\\schtasks.exe")) returned 0x20
[0202.715] GetFileVersionInfoSizeExW (in: dwFlags=0x1, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", lpdwHandle=0xdcf6c | out: lpdwHandle=0xdcf6c) returned 0x76c
[0202.715] GetProcessHeap () returned 0x5b0000
[0202.715] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x776) returned 0x5b9da8
[0202.715] GetFileVersionInfoExW (in: dwFlags=0x3, lpwstrFilename="C:\\Windows\\SysWOW64\\schtasks.exe", dwHandle=0x0, dwLen=0x776, lpData=0x5b9da8 | out: lpData=0x5b9da8) returned 1
[0202.715] VerQueryValueW (in: pBlock=0x5b9da8, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0xdcf74, puLen=0xdcf78 | out: lplpBuffer=0xdcf74*=0x5ba158, puLen=0xdcf78) returned 1
[0202.715] _memicmp (_Buf1=0x5b75f8, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.715] _vsnwprintf (in: _Buffer=0x5b8cd0, _BufferCount=0x3f, _Format="\\StringFileInfo\\%04x%04x\\InternalName", _ArgList=0xdcf58 | out: _Buffer="\\StringFileInfo\\040904b0\\InternalName") returned 37
[0202.716] VerQueryValueW (in: pBlock=0x5b9da8, lpSubBlock="\\StringFileInfo\\040904b0\\InternalName", lplpBuffer=0xdcf84, puLen=0xdcf80 | out: lplpBuffer=0xdcf84*=0x5b9f88, puLen=0xdcf80) returned 1
[0202.716] lstrlenW (lpString="schtasks.exe") returned 12
[0202.716] lstrlenW (lpString="schtasks.exe") returned 12
[0202.716] lstrlenW (lpString=".EXE") returned 4
[0202.716] StrStrIW (lpFirst="schtasks.exe", lpSrch=".EXE") returned=".exe"
[0202.716] lstrlenW (lpString="schtasks.exe") returned 12
[0202.716] lstrlenW (lpString=".EXE") returned 4
[0202.716] lstrlenW (lpString="schtasks") returned 8
[0202.716] lstrlenW (lpString="/create") returned 7
[0202.716] _memicmp (_Buf1=0x5b75f8, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.716] _vsnwprintf (in: _Buffer=0x5b8cd0, _BufferCount=0x19, _Format="%s %s", _ArgList=0xdcf58 | out: _Buffer="schtasks /create") returned 16
[0202.716] _memicmp (_Buf1=0x5b7580, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.716] GetProcessHeap () returned 0x5b0000
[0202.716] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5b9558
[0202.716] _memicmp (_Buf1=0x5b7688, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.716] LoadStringW (in: hInstance=0x0, uID=0x15ed, lpBuffer=0x5ba788, cchBufferMax=256 | out: lpBuffer="Type \"%s /?\" for usage.") returned 0x17
[0202.716] lstrlenW (lpString="Type \"%s /?\" for usage.") returned 23
[0202.716] GetProcessHeap () returned 0x5b0000
[0202.716] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x30) returned 0x5bad98
[0202.716] _vsnwprintf (in: _Buffer=0x5b69d0, _BufferCount=0x4f, _Format="Type \"%s /?\" for usage.", _ArgList=0xdcf5c | out: _Buffer="Type \"SCHTASKS /CREATE /?\" for usage.") returned 37
[0202.716] GetProcessHeap () returned 0x5b0000
[0202.716] GetProcessHeap () returned 0x5b0000
[0202.717] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9da8) returned 1
[0202.717] GetProcessHeap () returned 0x5b0000
[0202.717] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9da8) returned 0x776
[0202.717] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9da8) returned 1
[0202.717] RtlRestoreLastWin32Error () returned 0x0
[0202.717] GetThreadLocale () returned 0x409
[0202.717] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.717] lstrlenW (lpString="create") returned 6
[0202.718] GetThreadLocale () returned 0x409
[0202.718] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.718] lstrlenW (lpString="?") returned 1
[0202.718] GetThreadLocale () returned 0x409
[0202.718] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.718] lstrlenW (lpString="s") returned 1
[0202.718] GetThreadLocale () returned 0x409
[0202.718] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.718] lstrlenW (lpString="u") returned 1
[0202.718] GetThreadLocale () returned 0x409
[0202.718] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.718] lstrlenW (lpString="p") returned 1
[0202.718] GetThreadLocale () returned 0x409
[0202.718] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.718] lstrlenW (lpString="ru") returned 2
[0202.718] GetThreadLocale () returned 0x409
[0202.718] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.718] lstrlenW (lpString="rp") returned 2
[0202.718] GetThreadLocale () returned 0x409
[0202.718] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.718] lstrlenW (lpString="sc") returned 2
[0202.718] GetThreadLocale () returned 0x409
[0202.718] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.718] lstrlenW (lpString="mo") returned 2
[0202.719] GetThreadLocale () returned 0x409
[0202.719] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.719] lstrlenW (lpString="d") returned 1
[0202.719] GetThreadLocale () returned 0x409
[0202.719] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.719] lstrlenW (lpString="m") returned 1
[0202.719] GetThreadLocale () returned 0x409
[0202.719] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.719] lstrlenW (lpString="i") returned 1
[0202.719] GetThreadLocale () returned 0x409
[0202.719] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.719] lstrlenW (lpString="tn") returned 2
[0202.719] GetThreadLocale () returned 0x409
[0202.719] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.719] lstrlenW (lpString="tr") returned 2
[0202.719] GetThreadLocale () returned 0x409
[0202.719] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.719] lstrlenW (lpString="st") returned 2
[0202.720] GetThreadLocale () returned 0x409
[0202.720] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.720] lstrlenW (lpString="sd") returned 2
[0202.720] GetThreadLocale () returned 0x409
[0202.720] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.720] lstrlenW (lpString="ed") returned 2
[0202.720] GetThreadLocale () returned 0x409
[0202.720] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.720] lstrlenW (lpString="it") returned 2
[0202.720] GetThreadLocale () returned 0x409
[0202.720] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.720] lstrlenW (lpString="et") returned 2
[0202.720] GetThreadLocale () returned 0x409
[0202.720] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.720] lstrlenW (lpString="k") returned 1
[0202.720] GetThreadLocale () returned 0x409
[0202.720] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.720] lstrlenW (lpString="du") returned 2
[0202.720] GetThreadLocale () returned 0x409
[0202.720] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.720] lstrlenW (lpString="ri") returned 2
[0202.720] GetThreadLocale () returned 0x409
[0202.720] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.720] lstrlenW (lpString="z") returned 1
[0202.720] GetThreadLocale () returned 0x409
[0202.721] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.721] lstrlenW (lpString="f") returned 1
[0202.721] GetThreadLocale () returned 0x409
[0202.721] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.721] lstrlenW (lpString="v1") returned 2
[0202.721] GetThreadLocale () returned 0x409
[0202.721] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.721] lstrlenW (lpString="xml") returned 3
[0202.721] GetThreadLocale () returned 0x409
[0202.721] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.721] lstrlenW (lpString="ec") returned 2
[0202.721] GetThreadLocale () returned 0x409
[0202.721] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.721] lstrlenW (lpString="rl") returned 2
[0202.721] GetThreadLocale () returned 0x409
[0202.721] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.721] lstrlenW (lpString="delay") returned 5
[0202.721] GetThreadLocale () returned 0x409
[0202.721] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.721] lstrlenW (lpString="np") returned 2
[0202.721] GetThreadLocale () returned 0x409
[0202.721] CompareStringA (Locale=0x409, dwCmpFlags=0x1, lpString1="PARSER2", cchCount1=-1, lpString2="PARSER2", cchCount2=-1) returned 2
[0202.721] lstrlenW (lpString="hresult") returned 7
[0202.722] RtlRestoreLastWin32Error () returned 0x0
[0202.722] RtlRestoreLastWin32Error () returned 0x0
[0202.722] lstrlenW (lpString="/Create") returned 7
[0202.722] lstrlenW (lpString="-/") returned 2
[0202.722] StrChrIW (lpStart="-/", wMatch=0x79002f) returned="/"
[0202.722] lstrlenW (lpString="create") returned 6
[0202.722] lstrlenW (lpString="create") returned 6
[0202.722] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.722] lstrlenW (lpString="Create") returned 6
[0202.722] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.722] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0202.722] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|Create|") returned 8
[0202.722] lstrlenW (lpString="|create|") returned 8
[0202.722] lstrlenW (lpString="|Create|") returned 8
[0202.722] StrStrIW (lpFirst="|create|", lpSrch="|Create|") returned="|create|"
[0202.722] RtlRestoreLastWin32Error () returned 0x0
[0202.722] RtlRestoreLastWin32Error () returned 0x0
[0202.722] RtlRestoreLastWin32Error () returned 0x0
[0202.722] lstrlenW (lpString="/TN") returned 3
[0202.722] lstrlenW (lpString="-/") returned 2
[0202.722] StrChrIW (lpStart="-/", wMatch=0x79002f) returned="/"
[0202.723] lstrlenW (lpString="create") returned 6
[0202.723] lstrlenW (lpString="create") returned 6
[0202.723] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.723] lstrlenW (lpString="TN") returned 2
[0202.723] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.723] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0202.723] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.723] lstrlenW (lpString="|create|") returned 8
[0202.723] lstrlenW (lpString="|TN|") returned 4
[0202.723] StrStrIW (lpFirst="|create|", lpSrch="|TN|") returned 0x0
[0202.723] RtlRestoreLastWin32Error () returned 0x490
[0202.723] lstrlenW (lpString="?") returned 1
[0202.723] lstrlenW (lpString="?") returned 1
[0202.723] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.723] lstrlenW (lpString="TN") returned 2
[0202.723] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.723] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0202.723] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.723] lstrlenW (lpString="|?|") returned 3
[0202.723] lstrlenW (lpString="|TN|") returned 4
[0202.723] RtlRestoreLastWin32Error () returned 0x490
[0202.724] lstrlenW (lpString="s") returned 1
[0202.724] lstrlenW (lpString="s") returned 1
[0202.724] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.724] lstrlenW (lpString="TN") returned 2
[0202.724] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.724] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0202.724] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.724] lstrlenW (lpString="|s|") returned 3
[0202.724] lstrlenW (lpString="|TN|") returned 4
[0202.724] RtlRestoreLastWin32Error () returned 0x490
[0202.724] lstrlenW (lpString="u") returned 1
[0202.724] lstrlenW (lpString="u") returned 1
[0202.724] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.724] lstrlenW (lpString="TN") returned 2
[0202.724] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.724] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0202.724] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.724] lstrlenW (lpString="|u|") returned 3
[0202.724] lstrlenW (lpString="|TN|") returned 4
[0202.724] RtlRestoreLastWin32Error () returned 0x490
[0202.724] lstrlenW (lpString="p") returned 1
[0202.724] lstrlenW (lpString="p") returned 1
[0202.724] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.724] lstrlenW (lpString="TN") returned 2
[0202.724] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.725] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0202.725] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.725] lstrlenW (lpString="|p|") returned 3
[0202.725] lstrlenW (lpString="|TN|") returned 4
[0202.725] RtlRestoreLastWin32Error () returned 0x490
[0202.725] lstrlenW (lpString="ru") returned 2
[0202.725] lstrlenW (lpString="ru") returned 2
[0202.725] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.725] lstrlenW (lpString="TN") returned 2
[0202.725] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.725] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0202.725] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.725] lstrlenW (lpString="|ru|") returned 4
[0202.725] lstrlenW (lpString="|TN|") returned 4
[0202.725] StrStrIW (lpFirst="|ru|", lpSrch="|TN|") returned 0x0
[0202.725] RtlRestoreLastWin32Error () returned 0x490
[0202.725] lstrlenW (lpString="rp") returned 2
[0202.725] lstrlenW (lpString="rp") returned 2
[0202.725] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.725] lstrlenW (lpString="TN") returned 2
[0202.725] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.725] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0202.726] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.726] lstrlenW (lpString="|rp|") returned 4
[0202.726] lstrlenW (lpString="|TN|") returned 4
[0202.726] StrStrIW (lpFirst="|rp|", lpSrch="|TN|") returned 0x0
[0202.726] RtlRestoreLastWin32Error () returned 0x490
[0202.726] lstrlenW (lpString="sc") returned 2
[0202.726] lstrlenW (lpString="sc") returned 2
[0202.726] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.726] lstrlenW (lpString="TN") returned 2
[0202.726] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.726] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0202.726] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.726] lstrlenW (lpString="|sc|") returned 4
[0202.726] lstrlenW (lpString="|TN|") returned 4
[0202.726] StrStrIW (lpFirst="|sc|", lpSrch="|TN|") returned 0x0
[0202.726] RtlRestoreLastWin32Error () returned 0x490
[0202.726] lstrlenW (lpString="mo") returned 2
[0202.726] lstrlenW (lpString="mo") returned 2
[0202.726] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.726] lstrlenW (lpString="TN") returned 2
[0202.727] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.727] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0202.727] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.727] lstrlenW (lpString="|mo|") returned 4
[0202.727] lstrlenW (lpString="|TN|") returned 4
[0202.727] StrStrIW (lpFirst="|mo|", lpSrch="|TN|") returned 0x0
[0202.727] RtlRestoreLastWin32Error () returned 0x490
[0202.727] lstrlenW (lpString="d") returned 1
[0202.727] lstrlenW (lpString="d") returned 1
[0202.727] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.727] lstrlenW (lpString="TN") returned 2
[0202.727] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.770] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0202.770] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.770] lstrlenW (lpString="|d|") returned 3
[0202.770] lstrlenW (lpString="|TN|") returned 4
[0202.770] RtlRestoreLastWin32Error () returned 0x490
[0202.770] lstrlenW (lpString="m") returned 1
[0202.770] lstrlenW (lpString="m") returned 1
[0202.770] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.770] lstrlenW (lpString="TN") returned 2
[0202.770] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.770] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0202.770] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.770] lstrlenW (lpString="|m|") returned 3
[0202.770] lstrlenW (lpString="|TN|") returned 4
[0202.770] RtlRestoreLastWin32Error () returned 0x490
[0202.770] lstrlenW (lpString="i") returned 1
[0202.770] lstrlenW (lpString="i") returned 1
[0202.770] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.770] lstrlenW (lpString="TN") returned 2
[0202.770] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.771] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0202.771] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.771] lstrlenW (lpString="|i|") returned 3
[0202.771] lstrlenW (lpString="|TN|") returned 4
[0202.771] RtlRestoreLastWin32Error () returned 0x490
[0202.771] lstrlenW (lpString="tn") returned 2
[0202.771] lstrlenW (lpString="tn") returned 2
[0202.771] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.771] lstrlenW (lpString="TN") returned 2
[0202.771] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.771] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0202.771] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|TN|") returned 4
[0202.771] lstrlenW (lpString="|tn|") returned 4
[0202.771] lstrlenW (lpString="|TN|") returned 4
[0202.771] StrStrIW (lpFirst="|tn|", lpSrch="|TN|") returned="|tn|"
[0202.771] RtlRestoreLastWin32Error () returned 0x0
[0202.771] RtlRestoreLastWin32Error () returned 0x0
[0202.771] lstrlenW (lpString="Updates\\KHDScDG") returned 15
[0202.771] lstrlenW (lpString="-/") returned 2
[0202.771] StrChrIW (lpStart="-/", wMatch=0x790055) returned 0x0
[0202.771] RtlRestoreLastWin32Error () returned 0x490
[0202.771] RtlRestoreLastWin32Error () returned 0x490
[0202.771] RtlRestoreLastWin32Error () returned 0x0
[0202.771] lstrlenW (lpString="Updates\\KHDScDG") returned 15
[0202.771] StrChrIW (lpStart="Updates\\KHDScDG", wMatch=0x3a) returned 0x0
[0202.771] RtlRestoreLastWin32Error () returned 0x490
[0202.771] RtlRestoreLastWin32Error () returned 0x0
[0202.771] lstrlenW (lpString="Updates\\KHDScDG") returned 15
[0202.772] RtlRestoreLastWin32Error () returned 0x0
[0202.772] RtlRestoreLastWin32Error () returned 0x0
[0202.772] lstrlenW (lpString="/XML") returned 4
[0202.772] lstrlenW (lpString="-/") returned 2
[0202.772] StrChrIW (lpStart="-/", wMatch=0x79002f) returned="/"
[0202.772] lstrlenW (lpString="create") returned 6
[0202.772] lstrlenW (lpString="create") returned 6
[0202.772] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.772] lstrlenW (lpString="XML") returned 3
[0202.772] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.772] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x9, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|create|") returned 8
[0202.772] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.772] lstrlenW (lpString="|create|") returned 8
[0202.772] lstrlenW (lpString="|XML|") returned 5
[0202.772] StrStrIW (lpFirst="|create|", lpSrch="|XML|") returned 0x0
[0202.772] RtlRestoreLastWin32Error () returned 0x490
[0202.772] lstrlenW (lpString="?") returned 1
[0202.772] lstrlenW (lpString="?") returned 1
[0202.772] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.772] lstrlenW (lpString="XML") returned 3
[0202.772] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.772] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|?|") returned 3
[0202.772] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.772] lstrlenW (lpString="|?|") returned 3
[0202.772] lstrlenW (lpString="|XML|") returned 5
[0202.772] RtlRestoreLastWin32Error () returned 0x490
[0202.772] lstrlenW (lpString="s") returned 1
[0202.772] lstrlenW (lpString="s") returned 1
[0202.772] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.773] lstrlenW (lpString="XML") returned 3
[0202.773] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.773] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|s|") returned 3
[0202.773] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.773] lstrlenW (lpString="|s|") returned 3
[0202.773] lstrlenW (lpString="|XML|") returned 5
[0202.773] RtlRestoreLastWin32Error () returned 0x490
[0202.773] lstrlenW (lpString="u") returned 1
[0202.773] lstrlenW (lpString="u") returned 1
[0202.773] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.773] lstrlenW (lpString="XML") returned 3
[0202.773] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.773] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|u|") returned 3
[0202.773] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.773] lstrlenW (lpString="|u|") returned 3
[0202.773] lstrlenW (lpString="|XML|") returned 5
[0202.773] RtlRestoreLastWin32Error () returned 0x490
[0202.773] lstrlenW (lpString="p") returned 1
[0202.773] lstrlenW (lpString="p") returned 1
[0202.773] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.773] lstrlenW (lpString="XML") returned 3
[0202.773] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.773] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|p|") returned 3
[0202.773] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.773] lstrlenW (lpString="|p|") returned 3
[0202.774] lstrlenW (lpString="|XML|") returned 5
[0202.774] RtlRestoreLastWin32Error () returned 0x490
[0202.774] lstrlenW (lpString="ru") returned 2
[0202.774] lstrlenW (lpString="ru") returned 2
[0202.774] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.774] lstrlenW (lpString="XML") returned 3
[0202.774] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.774] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ru|") returned 4
[0202.774] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.774] lstrlenW (lpString="|ru|") returned 4
[0202.774] lstrlenW (lpString="|XML|") returned 5
[0202.774] RtlRestoreLastWin32Error () returned 0x490
[0202.774] lstrlenW (lpString="rp") returned 2
[0202.774] lstrlenW (lpString="rp") returned 2
[0202.774] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.774] lstrlenW (lpString="XML") returned 3
[0202.774] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.774] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|rp|") returned 4
[0202.774] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.774] lstrlenW (lpString="|rp|") returned 4
[0202.774] lstrlenW (lpString="|XML|") returned 5
[0202.774] RtlRestoreLastWin32Error () returned 0x490
[0202.774] lstrlenW (lpString="sc") returned 2
[0202.774] lstrlenW (lpString="sc") returned 2
[0202.774] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.774] lstrlenW (lpString="XML") returned 3
[0202.774] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.774] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sc|") returned 4
[0202.775] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.775] lstrlenW (lpString="|sc|") returned 4
[0202.775] lstrlenW (lpString="|XML|") returned 5
[0202.775] RtlRestoreLastWin32Error () returned 0x490
[0202.775] lstrlenW (lpString="mo") returned 2
[0202.775] lstrlenW (lpString="mo") returned 2
[0202.775] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.775] lstrlenW (lpString="XML") returned 3
[0202.775] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.775] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|mo|") returned 4
[0202.775] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.775] lstrlenW (lpString="|mo|") returned 4
[0202.775] lstrlenW (lpString="|XML|") returned 5
[0202.775] RtlRestoreLastWin32Error () returned 0x490
[0202.775] lstrlenW (lpString="d") returned 1
[0202.775] lstrlenW (lpString="d") returned 1
[0202.775] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.775] lstrlenW (lpString="XML") returned 3
[0202.775] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.775] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|d|") returned 3
[0202.775] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.775] lstrlenW (lpString="|d|") returned 3
[0202.775] lstrlenW (lpString="|XML|") returned 5
[0202.775] RtlRestoreLastWin32Error () returned 0x490
[0202.775] lstrlenW (lpString="m") returned 1
[0202.776] lstrlenW (lpString="m") returned 1
[0202.776] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.776] lstrlenW (lpString="XML") returned 3
[0202.776] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.776] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|m|") returned 3
[0202.776] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.776] lstrlenW (lpString="|m|") returned 3
[0202.776] lstrlenW (lpString="|XML|") returned 5
[0202.776] RtlRestoreLastWin32Error () returned 0x490
[0202.776] lstrlenW (lpString="i") returned 1
[0202.776] lstrlenW (lpString="i") returned 1
[0202.776] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.776] lstrlenW (lpString="XML") returned 3
[0202.776] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.776] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|i|") returned 3
[0202.776] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.776] lstrlenW (lpString="|i|") returned 3
[0202.776] lstrlenW (lpString="|XML|") returned 5
[0202.776] RtlRestoreLastWin32Error () returned 0x490
[0202.776] lstrlenW (lpString="tn") returned 2
[0202.776] lstrlenW (lpString="tn") returned 2
[0202.776] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.776] lstrlenW (lpString="XML") returned 3
[0202.776] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.776] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tn|") returned 4
[0202.776] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.777] lstrlenW (lpString="|tn|") returned 4
[0202.777] lstrlenW (lpString="|XML|") returned 5
[0202.777] RtlRestoreLastWin32Error () returned 0x490
[0202.777] lstrlenW (lpString="tr") returned 2
[0202.777] lstrlenW (lpString="tr") returned 2
[0202.777] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.777] lstrlenW (lpString="XML") returned 3
[0202.777] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.777] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|tr|") returned 4
[0202.777] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.777] lstrlenW (lpString="|tr|") returned 4
[0202.777] lstrlenW (lpString="|XML|") returned 5
[0202.777] RtlRestoreLastWin32Error () returned 0x490
[0202.777] lstrlenW (lpString="st") returned 2
[0202.777] lstrlenW (lpString="st") returned 2
[0202.777] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.777] lstrlenW (lpString="XML") returned 3
[0202.777] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.777] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|st|") returned 4
[0202.777] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.777] lstrlenW (lpString="|st|") returned 4
[0202.777] lstrlenW (lpString="|XML|") returned 5
[0202.777] RtlRestoreLastWin32Error () returned 0x490
[0202.777] lstrlenW (lpString="sd") returned 2
[0202.777] lstrlenW (lpString="sd") returned 2
[0202.777] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.778] lstrlenW (lpString="XML") returned 3
[0202.778] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.779] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|sd|") returned 4
[0202.779] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.779] lstrlenW (lpString="|sd|") returned 4
[0202.779] lstrlenW (lpString="|XML|") returned 5
[0202.779] RtlRestoreLastWin32Error () returned 0x490
[0202.779] lstrlenW (lpString="ed") returned 2
[0202.779] lstrlenW (lpString="ed") returned 2
[0202.779] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.779] lstrlenW (lpString="XML") returned 3
[0202.779] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.779] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ed|") returned 4
[0202.779] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.779] lstrlenW (lpString="|ed|") returned 4
[0202.779] lstrlenW (lpString="|XML|") returned 5
[0202.779] RtlRestoreLastWin32Error () returned 0x490
[0202.779] lstrlenW (lpString="it") returned 2
[0202.779] lstrlenW (lpString="it") returned 2
[0202.779] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.779] lstrlenW (lpString="XML") returned 3
[0202.779] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.779] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|it|") returned 4
[0202.779] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.779] lstrlenW (lpString="|it|") returned 4
[0202.780] lstrlenW (lpString="|XML|") returned 5
[0202.780] RtlRestoreLastWin32Error () returned 0x490
[0202.780] lstrlenW (lpString="et") returned 2
[0202.780] lstrlenW (lpString="et") returned 2
[0202.780] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.780] lstrlenW (lpString="XML") returned 3
[0202.780] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.780] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|et|") returned 4
[0202.780] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.780] lstrlenW (lpString="|et|") returned 4
[0202.780] lstrlenW (lpString="|XML|") returned 5
[0202.780] RtlRestoreLastWin32Error () returned 0x490
[0202.780] lstrlenW (lpString="k") returned 1
[0202.780] lstrlenW (lpString="k") returned 1
[0202.780] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.780] lstrlenW (lpString="XML") returned 3
[0202.780] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.780] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|k|") returned 3
[0202.780] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.780] lstrlenW (lpString="|k|") returned 3
[0202.780] lstrlenW (lpString="|XML|") returned 5
[0202.780] RtlRestoreLastWin32Error () returned 0x490
[0202.780] lstrlenW (lpString="du") returned 2
[0202.781] lstrlenW (lpString="du") returned 2
[0202.781] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.781] lstrlenW (lpString="XML") returned 3
[0202.781] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.781] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|du|") returned 4
[0202.781] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.781] lstrlenW (lpString="|du|") returned 4
[0202.781] lstrlenW (lpString="|XML|") returned 5
[0202.781] RtlRestoreLastWin32Error () returned 0x490
[0202.781] lstrlenW (lpString="ri") returned 2
[0202.781] lstrlenW (lpString="ri") returned 2
[0202.781] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.781] lstrlenW (lpString="XML") returned 3
[0202.781] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.781] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|ri|") returned 4
[0202.781] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.781] lstrlenW (lpString="|ri|") returned 4
[0202.781] lstrlenW (lpString="|XML|") returned 5
[0202.781] RtlRestoreLastWin32Error () returned 0x490
[0202.781] lstrlenW (lpString="z") returned 1
[0202.781] lstrlenW (lpString="z") returned 1
[0202.781] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.781] lstrlenW (lpString="XML") returned 3
[0202.781] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.781] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|z|") returned 3
[0202.781] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.782] lstrlenW (lpString="|z|") returned 3
[0202.782] lstrlenW (lpString="|XML|") returned 5
[0202.782] RtlRestoreLastWin32Error () returned 0x490
[0202.782] lstrlenW (lpString="f") returned 1
[0202.782] lstrlenW (lpString="f") returned 1
[0202.782] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.782] lstrlenW (lpString="XML") returned 3
[0202.782] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.782] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x4, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|f|") returned 3
[0202.782] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.782] lstrlenW (lpString="|f|") returned 3
[0202.782] lstrlenW (lpString="|XML|") returned 5
[0202.782] RtlRestoreLastWin32Error () returned 0x490
[0202.782] lstrlenW (lpString="v1") returned 2
[0202.782] lstrlenW (lpString="v1") returned 2
[0202.782] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.782] lstrlenW (lpString="XML") returned 3
[0202.782] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.782] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x5, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|v1|") returned 4
[0202.782] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.782] lstrlenW (lpString="|v1|") returned 4
[0202.782] lstrlenW (lpString="|XML|") returned 5
[0202.782] RtlRestoreLastWin32Error () returned 0x490
[0202.782] lstrlenW (lpString="xml") returned 3
[0202.782] lstrlenW (lpString="xml") returned 3
[0202.782] _memicmp (_Buf1=0x5b7598, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.782] lstrlenW (lpString="XML") returned 3
[0202.782] _memicmp (_Buf1=0x5b76d0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.782] _vsnwprintf (in: _Buffer=0x5b9358, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|xml|") returned 5
[0202.783] _vsnwprintf (in: _Buffer=0x5b9618, _BufferCount=0x6, _Format="|%s|", _ArgList=0xdcf48 | out: _Buffer="|XML|") returned 5
[0202.783] lstrlenW (lpString="|xml|") returned 5
[0202.783] lstrlenW (lpString="|XML|") returned 5
[0202.783] StrStrIW (lpFirst="|xml|", lpSrch="|XML|") returned="|xml|"
[0202.783] RtlRestoreLastWin32Error () returned 0x0
[0202.783] RtlRestoreLastWin32Error () returned 0x0
[0202.783] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.783] lstrlenW (lpString="-/") returned 2
[0202.783] StrChrIW (lpStart="-/", wMatch=0x790043) returned 0x0
[0202.783] RtlRestoreLastWin32Error () returned 0x490
[0202.783] RtlRestoreLastWin32Error () returned 0x490
[0202.783] RtlRestoreLastWin32Error () returned 0x0
[0202.783] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.783] StrChrIW (lpStart="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp", wMatch=0x3a) returned=":\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp"
[0202.783] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.783] _memicmp (_Buf1=0x5b75e0, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.783] _memicmp (_Buf1=0x5babe8, _Buf2=0xc72708, _Size=0x7) returned 0
[0202.783] RtlRestoreLastWin32Error () returned 0x7a
[0202.783] RtlRestoreLastWin32Error () returned 0x0
[0202.783] RtlRestoreLastWin32Error () returned 0x0
[0202.783] lstrlenW (lpString="C") returned 1
[0202.783] RtlRestoreLastWin32Error () returned 0x490
[0202.783] RtlRestoreLastWin32Error () returned 0x0
[0202.783] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.783] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.784] GetProcessHeap () returned 0x5b0000
[0202.784] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x6a) returned 0x5badd0
[0202.784] RtlRestoreLastWin32Error () returned 0x0
[0202.784] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0202.784] RtlRestoreLastWin32Error () returned 0x0
[0202.784] GetProcessHeap () returned 0x5b0000
[0202.784] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x1fc) returned 0x5b9da8
[0202.784] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0
[0202.792] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x1, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0
[0202.904] CoCreateInstance (in: rclsid=0xc726c0*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x17, riid=0xc726d0*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0xdd39c | out: ppv=0xdd39c*=0x793758) returned 0x0
[0203.581] TaskScheduler:ITaskService:Connect (This=0x793758, serverName=0xdd34c*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), user=0xdd35c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), domain=0xdd36c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), password=0xdd37c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0)) returned 0x0
[0203.641] TaskScheduler:ITaskService:GetFolder (in: This=0x793758, Path=0x0, ppFolder=0xdd464 | out: ppFolder=0xdd464*=0x793880) returned 0x0
[0203.643] CreateFileW (lpFileName="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp" (normalized: "c:\\users\\rdhj0cnfevzx\\appdata\\local\\temp\\tmpc2cf.tmp"), dwDesiredAccess=0x80000000, dwShareMode=0x5, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000080, hTemplateFile=0x0) returned 0x128
[0203.644] GetFileSizeEx (in: hFile=0x128, lpFileSize=0xdcd7c | out: lpFileSize=0xdcd7c*=1595) returned 1
[0203.644] ReadFile (in: hFile=0x128, lpBuffer=0xdcd8c, nNumberOfBytesToRead=0x2, lpNumberOfBytesRead=0xdcd88, lpOverlapped=0x0 | out: lpBuffer=0xdcd8c*, lpNumberOfBytesRead=0xdcd88*=0x2, lpOverlapped=0x0) returned 1
[0203.645] SetFilePointer (in: hFile=0x128, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0
[0203.645] malloc (_Size=0x63c) returned 0x7938d0
[0203.645] ReadFile (in: hFile=0x128, lpBuffer=0x7938d0, nNumberOfBytesToRead=0x63c, lpNumberOfBytesRead=0xdcd88, lpOverlapped=0x0 | out: lpBuffer=0x7938d0*, lpNumberOfBytesRead=0xdcd88*=0x63b, lpOverlapped=0x0) returned 1
[0203.645] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x7938d0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 1596
[0203.645] MultiByteToWideChar (in: CodePage=0x3, dwFlags=0x0, lpMultiByteStr=0x7938d0, cbMultiByte=-1, lpWideCharStr=0x5ca77c, cchWideChar=1596 | out: lpWideCharStr="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe\n \n \n") returned 1596
[0203.645] SysStringLen (param_1="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe\n \n \n") returned 0x63b
[0203.645] VarBstrCat (in: bstrLeft=0x0, bstrRight="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe\n \n \n", pbstrResult=0xdcd2c | out: pbstrResult=0xdcd2c) returned 0x0
[0203.646] free (_Block=0x7938d0)
[0203.646] CloseHandle (hObject=0x128) returned 1
[0203.647] lstrlenW (lpString="") returned 0
[0203.647] malloc (_Size=0xc) returned 0x793830
[0203.647] SysStringLen (param_1="") returned 0x0
[0203.648] free (_Block=0x793830)
[0203.648] lstrlenW (lpString="") returned 0
[0203.648] ITaskFolder:RegisterTask (in: This=0x793880, Path="Updates\\KHDScDG", XmlText="\n\n \n 2014-10-25T14:27:44.8929027\n XC64ZB\\RDhJ0CNFevzX\n \n \n \n true\n XC64ZB\\RDhJ0CNFevzX\n \n \n false\n \n \n \n \n XC64ZB\\RDhJ0CNFevzX\n InteractiveToken\n LeastPrivilege\n \n \n \n StopExisting\n false\n true\n false\n true\n false\n \n true\n false\n \n true\n true\n false\n false\n false\n PT0S\n 7\n \n \n \n C:\\Users\\RDhJ0CNFevzX\\AppData\\Roaming\\KHDScDG.exe\n \n \n", flags=2, UserId=0xdcd60*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="", varVal2=0x0), password=0xdcd70*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), LogonType=0, sddl=0xdcd84*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), ppTask=0xdcde0 | out: ppTask=0xdcde0*=0x7938d0) returned 0x0
[0205.391] GetProcessHeap () returned 0x5b0000
[0205.392] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x14) returned 0x5c2060
[0205.392] _memicmp (_Buf1=0x5b7688, _Buf2=0xc72708, _Size=0x7) returned 0
[0205.392] LoadStringW (in: hInstance=0x0, uID=0x12e, lpBuffer=0x5ba788, cchBufferMax=256 | out: lpBuffer="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 0x40
[0205.392] lstrlenW (lpString="SUCCESS: The scheduled task \"%s\" has successfully been created.\n") returned 64
[0205.392] GetProcessHeap () returned 0x5b0000
[0205.392] RtlAllocateHeap (HeapHandle=0x5b0000, Flags=0xc, Size=0x82) returned 0x5c92f0
[0205.392] _vsnwprintf (in: _Buffer=0xdcdf8, _BufferCount=0x1fb, _Format="SUCCESS: The scheduled task \"%s\" has successfully been created.\n", _ArgList=0xdcd94 | out: _Buffer="SUCCESS: The scheduled task \"Updates\\KHDScDG\" has successfully been created.\n") returned 77
[0205.392] __iob_func () returned 0x74ac1208
[0205.392] _fileno (_File=0x74ac1228) returned 1
[0205.392] _errno () returned 0x7905b0
[0205.392] _get_osfhandle (_FileHandle=1) returned 0x3c
[0205.392] _errno () returned 0x7905b0
[0205.392] GetFileType (hFile=0x3c) returned 0x2
[0205.392] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0205.393] GetFileType (hFile=0x3c) returned 0x2
[0205.393] GetConsoleMode (in: hConsoleHandle=0x3c, lpMode=0xdcd68 | out: lpMode=0xdcd68) returned 1
[0205.471] __iob_func () returned 0x74ac1208
[0205.471] GetStdHandle (nStdHandle=0xfffffff5) returned 0x3c
[0205.471] lstrlenW (lpString="SUCCESS: The scheduled task \"Updates\\KHDScDG\" has successfully been created.\n") returned 77
[0205.471] WriteConsoleW (in: hConsoleOutput=0x3c, lpBuffer=0xdcdf8*, nNumberOfCharsToWrite=0x4d, lpNumberOfCharsWritten=0xdcd8c, lpReserved=0x0 | out: lpBuffer=0xdcdf8*, lpNumberOfCharsWritten=0xdcd8c*=0x4d) returned 1
[0205.565] IUnknown:Release (This=0x7938d0) returned 0x0
[0205.566] TaskScheduler:IUnknown:Release (This=0x793880) returned 0x0
[0205.566] TaskScheduler:IUnknown:Release (This=0x793758) returned 0x0
[0205.566] lstrlenW (lpString="") returned 0
[0205.566] lstrlenW (lpString="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp") returned 52
[0205.566] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="C:\\Users\\RDhJ0CNFevzX\\AppData\\Local\\Temp\\tmpC2CF.tmp", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53
[0205.566] GetProcessHeap () returned 0x5b0000
[0205.566] GetProcessHeap () returned 0x5b0000
[0205.566] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9da8) returned 1
[0205.566] GetProcessHeap () returned 0x5b0000
[0205.566] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9da8) returned 0x1fc
[0205.567] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9da8) returned 1
[0205.567] GetProcessHeap () returned 0x5b0000
[0205.567] GetProcessHeap () returned 0x5b0000
[0205.567] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5badd0) returned 1
[0205.567] GetProcessHeap () returned 0x5b0000
[0205.567] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5badd0) returned 0x6a
[0205.567] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5badd0) returned 1
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9538) returned 1
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9538) returned 0x16
[0205.568] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9538) returned 1
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5baab0) returned 1
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5baab0) returned 0x10
[0205.568] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5baab0) returned 1
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9498) returned 1
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9498) returned 0x14
[0205.568] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9498) returned 1
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.568] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b69d0) returned 1
[0205.568] GetProcessHeap () returned 0x5b0000
[0205.569] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b69d0) returned 0xa0
[0205.569] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b69d0) returned 1
[0205.569] GetProcessHeap () returned 0x5b0000
[0205.569] GetProcessHeap () returned 0x5b0000
[0205.569] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b7580) returned 1
[0205.569] GetProcessHeap () returned 0x5b0000
[0205.569] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b7580) returned 0x10
[0205.569] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7580) returned 1
[0205.569] GetProcessHeap () returned 0x5b0000
[0205.569] GetProcessHeap () returned 0x5b0000
[0205.569] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9458) returned 1
[0205.569] GetProcessHeap () returned 0x5b0000
[0205.569] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9458) returned 0x14
[0205.569] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9458) returned 1
[0205.569] GetProcessHeap () returned 0x5b0000
[0205.569] GetProcessHeap () returned 0x5b0000
[0205.569] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b70c0) returned 1
[0205.570] GetProcessHeap () returned 0x5b0000
[0205.570] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b70c0) returned 0x6e
[0205.570] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b70c0) returned 1
[0205.570] GetProcessHeap () returned 0x5b0000
[0205.570] GetProcessHeap () returned 0x5b0000
[0205.570] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5babe8) returned 1
[0205.570] GetProcessHeap () returned 0x5b0000
[0205.570] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5babe8) returned 0x10
[0205.570] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5babe8) returned 1
[0205.570] GetProcessHeap () returned 0x5b0000
[0205.570] GetProcessHeap () returned 0x5b0000
[0205.571] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9518) returned 1
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9518) returned 0x14
[0205.571] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9518) returned 1
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b7610) returned 1
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b7610) returned 0xc
[0205.571] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7610) returned 1
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b75e0) returned 1
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b75e0) returned 0x10
[0205.571] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b75e0) returned 1
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b94b8) returned 1
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b94b8) returned 0x14
[0205.571] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b94b8) returned 1
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] GetProcessHeap () returned 0x5b0000
[0205.571] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b8cd0) returned 1
[0205.572] GetProcessHeap () returned 0x5b0000
[0205.572] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b8cd0) returned 0x208
[0205.572] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b8cd0) returned 1
[0205.572] GetProcessHeap () returned 0x5b0000
[0205.572] GetProcessHeap () returned 0x5b0000
[0205.572] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b75f8) returned 1
[0205.572] GetProcessHeap () returned 0x5b0000
[0205.572] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b75f8) returned 0x10
[0205.572] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b75f8) returned 1
[0205.572] GetProcessHeap () returned 0x5b0000
[0205.573] GetProcessHeap () returned 0x5b0000
[0205.573] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b95b8) returned 1
[0205.573] GetProcessHeap () returned 0x5b0000
[0205.573] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b95b8) returned 0x14
[0205.573] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b95b8) returned 1
[0205.573] GetProcessHeap () returned 0x5b0000
[0205.573] GetProcessHeap () returned 0x5b0000
[0205.573] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5ba788) returned 1
[0205.573] GetProcessHeap () returned 0x5b0000
[0205.573] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5ba788) returned 0x200
[0205.573] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5ba788) returned 1
[0205.573] GetProcessHeap () returned 0x5b0000
[0205.573] GetProcessHeap () returned 0x5b0000
[0205.573] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b7688) returned 1
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b7688) returned 0x10
[0205.574] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7688) returned 1
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b93b8) returned 1
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b93b8) returned 0x14
[0205.574] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b93b8) returned 1
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9618) returned 1
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9618) returned 0x14
[0205.574] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9618) returned 1
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b76d0) returned 1
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.574] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b76d0) returned 0x10
[0205.574] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b76d0) returned 1
[0205.574] GetProcessHeap () returned 0x5b0000
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b2778) returned 1
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b2778) returned 0x14
[0205.575] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b2778) returned 1
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9358) returned 1
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9358) returned 0x16
[0205.575] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9358) returned 1
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b7598) returned 1
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b7598) returned 0x10
[0205.575] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7598) returned 1
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6608) returned 1
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6608) returned 0x14
[0205.575] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6608) returned 1
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.575] GetProcessHeap () returned 0x5b0000
[0205.576] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b0598) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b0598) returned 0x2
[0205.576] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b0598) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6e38) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6e38) returned 0x14
[0205.576] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6e38) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6c00) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6c00) returned 0x14
[0205.576] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6c00) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6c20) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6c20) returned 0x14
[0205.576] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6c20) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.576] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6c40) returned 1
[0205.576] GetProcessHeap () returned 0x5b0000
[0205.577] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6c40) returned 0x14
[0205.577] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6c40) returned 1
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9378) returned 1
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9378) returned 0x14
[0205.577] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9378) returned 1
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9478) returned 1
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9478) returned 0x14
[0205.577] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9478) returned 1
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6a78) returned 1
[0205.577] GetProcessHeap () returned 0x5b0000
[0205.577] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6a78) returned 0x30
[0205.578] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6a78) returned 1
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b95f8) returned 1
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b95f8) returned 0x14
[0205.578] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b95f8) returned 1
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5bad98) returned 1
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5bad98) returned 0x30
[0205.578] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5bad98) returned 1
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9558) returned 1
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9558) returned 0x14
[0205.578] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9558) returned 1
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.578] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c92f0) returned 1
[0205.578] GetProcessHeap () returned 0x5b0000
[0205.579] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5c92f0) returned 0x82
[0205.579] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5c92f0) returned 1
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5c2060) returned 1
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5c2060) returned 0x14
[0205.579] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5c2060) returned 1
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b7718) returned 1
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b7718) returned 0x10
[0205.579] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7718) returned 1
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6830) returned 1
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.579] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6830) returned 0x14
[0205.579] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6830) returned 1
[0205.579] GetProcessHeap () returned 0x5b0000
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6850) returned 1
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6850) returned 0x14
[0205.580] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6850) returned 1
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b6870) returned 1
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b6870) returned 0x14
[0205.580] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b6870) returned 1
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b65c8) returned 1
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b65c8) returned 0x14
[0205.580] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b65c8) returned 1
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b7568) returned 1
[0205.580] GetProcessHeap () returned 0x5b0000
[0205.580] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b7568) returned 0x10
[0205.581] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7568) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b65e8) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b65e8) returned 0x14
[0205.581] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b65e8) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b2798) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b2798) returned 0x14
[0205.581] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b2798) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b94d8) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b94d8) returned 0x14
[0205.581] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b94d8) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9438) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9438) returned 0x14
[0205.581] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9438) returned 1
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.581] GetProcessHeap () returned 0x5b0000
[0205.582] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b93f8) returned 1
[0205.582] GetProcessHeap () returned 0x5b0000
[0205.582] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b93f8) returned 0x14
[0205.582] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b93f8) returned 1
[0205.628] GetProcessHeap () returned 0x5b0000
[0205.628] GetProcessHeap () returned 0x5b0000
[0205.628] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b9418) returned 1
[0205.628] GetProcessHeap () returned 0x5b0000
[0205.628] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b9418) returned 0x14
[0205.628] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b9418) returned 1
[0205.628] GetProcessHeap () returned 0x5b0000
[0205.629] GetProcessHeap () returned 0x5b0000
[0205.629] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b76b8) returned 1
[0205.629] GetProcessHeap () returned 0x5b0000
[0205.629] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b76b8) returned 0x10
[0205.629] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b76b8) returned 1
[0205.629] GetProcessHeap () returned 0x5b0000
[0205.629] GetProcessHeap () returned 0x5b0000
[0205.629] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b27b8) returned 1
[0205.629] GetProcessHeap () returned 0x5b0000
[0205.629] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b27b8) returned 0x14
[0205.629] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b27b8) returned 1
[0205.629] GetProcessHeap () returned 0x5b0000
[0205.629] GetProcessHeap () returned 0x5b0000
[0205.629] HeapValidate (hHeap=0x5b0000, dwFlags=0x0, lpMem=0x5b7700) returned 1
[0205.629] GetProcessHeap () returned 0x5b0000
[0205.629] RtlSizeHeap (HeapHandle=0x5b0000, Flags=0x0, MemoryPointer=0x5b7700) returned 0x10
[0205.629] RtlFreeHeap (HeapHandle=0x5b0000, Flags=0x0, BaseAddress=0x5b7700) returned 1
[0205.629] exit (_Code=0)
Thread:
id = 22
os_tid = 0x3ac
Process:
id = "4"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x6d70d000"
os_pid = "0x1244"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "2"
os_parent_pid = "0xe70"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 548
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 549
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 550
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 551
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 552
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 553
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 554
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 555
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 556
start_va = 0x7ff7625c0000
end_va = 0x7ff7625d0fff
monitored = 0
entry_point = 0x7ff7625c16b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 557
start_va = 0x7ffd504d0000
end_va = 0x7ffd50690fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 558
start_va = 0x6e0000
end_va = 0x7dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006e0000"
filename = ""
Region:
id = 559
start_va = 0x7ffd4d670000
end_va = 0x7ffd4d857fff
monitored = 0
entry_point = 0x7ffd4d69ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 560
start_va = 0x7ffd4e1c0000
end_va = 0x7ffd4e26cfff
monitored = 0
entry_point = 0x7ffd4e1d81a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 561
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 562
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 563
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 564
start_va = 0x7ffd4df00000
end_va = 0x7ffd4df9cfff
monitored = 0
entry_point = 0x7ffd4df078a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 565
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 566
start_va = 0x600000
end_va = 0x6dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 567
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 568
start_va = 0x7ffd45030000
end_va = 0x7ffd45088fff
monitored = 0
entry_point = 0x7ffd4503fbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 569
start_va = 0x190000
end_va = 0x190fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000190000"
filename = ""
Region:
id = 570
start_va = 0x7ffd4dc70000
end_va = 0x7ffd4deecfff
monitored = 0
entry_point = 0x7ffd4dd44970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 571
start_va = 0x7ffd4da60000
end_va = 0x7ffd4db7bfff
monitored = 0
entry_point = 0x7ffd4daa02b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 572
start_va = 0x7ffd4d860000
end_va = 0x7ffd4d8c9fff
monitored = 0
entry_point = 0x7ffd4d896d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 573
start_va = 0x7ffd4e9d0000
end_va = 0x7ffd4eb25fff
monitored = 0
entry_point = 0x7ffd4e9da8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 574
start_va = 0x7ffd4d8d0000
end_va = 0x7ffd4da55fff
monitored = 0
entry_point = 0x7ffd4d91ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 575
start_va = 0x1a0000
end_va = 0x1a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001a0000"
filename = ""
Region:
id = 576
start_va = 0x7ffd50380000
end_va = 0x7ffd504c2fff
monitored = 0
entry_point = 0x7ffd503a8210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 577
start_va = 0x7ffd4e160000
end_va = 0x7ffd4e1bafff
monitored = 0
entry_point = 0x7ffd4e1738b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 578
start_va = 0x7ffd4e2e0000
end_va = 0x7ffd4e31afff
monitored = 0
entry_point = 0x7ffd4e2e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 579
start_va = 0x7ffd4db80000
end_va = 0x7ffd4dc40fff
monitored = 0
entry_point = 0x7ffd4dba0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 580
start_va = 0x7ffd4b010000
end_va = 0x7ffd4b195fff
monitored = 0
entry_point = 0x7ffd4b05d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 591
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 592
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 593
start_va = 0x7e0000
end_va = 0x967fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007e0000"
filename = ""
Region:
id = 594
start_va = 0x970000
end_va = 0xaf0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000970000"
filename = ""
Region:
id = 595
start_va = 0xb00000
end_va = 0x1efffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b00000"
filename = ""
Region:
id = 596
start_va = 0x1f00000
end_va = 0x205ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f00000"
filename = ""
Region:
id = 613
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 614
start_va = 0x6d0000
end_va = 0x6dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006d0000"
filename = ""
Region:
id = 615
start_va = 0x7ffd4eb30000
end_va = 0x7ffd5008efff
monitored = 0
entry_point = 0x7ffd4ec911f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 633
start_va = 0x7ffd4cb80000
end_va = 0x7ffd4cbc2fff
monitored = 0
entry_point = 0x7ffd4cb94b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 634
start_va = 0x7ffd4cce0000
end_va = 0x7ffd4d323fff
monitored = 0
entry_point = 0x7ffd4cea64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 635
start_va = 0x7ffd4e480000
end_va = 0x7ffd4e526fff
monitored = 0
entry_point = 0x7ffd4e4958d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 636
start_va = 0x7ffd500f0000
end_va = 0x7ffd50141fff
monitored = 0
entry_point = 0x7ffd500ff530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 643
start_va = 0x7ffd4cb70000
end_va = 0x7ffd4cb7efff
monitored = 0
entry_point = 0x7ffd4cb73210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 652
start_va = 0x7ffd4d5b0000
end_va = 0x7ffd4d664fff
monitored = 0
entry_point = 0x7ffd4d5f22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 653
start_va = 0x7ffd4cb10000
end_va = 0x7ffd4cb5afff
monitored = 0
entry_point = 0x7ffd4cb135f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 654
start_va = 0x7ffd4caf0000
end_va = 0x7ffd4cb03fff
monitored = 0
entry_point = 0x7ffd4caf52e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 655
start_va = 0x7ffd4b470000
end_va = 0x7ffd4b505fff
monitored = 0
entry_point = 0x7ffd4b495570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 660
start_va = 0x2060000
end_va = 0x221ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002060000"
filename = ""
Region:
id = 662
start_va = 0x2220000
end_va = 0x2556fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 663
start_va = 0x1f00000
end_va = 0x1ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f00000"
filename = ""
Region:
id = 664
start_va = 0x2050000
end_va = 0x205ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002050000"
filename = ""
Region:
id = 665
start_va = 0x2560000
end_va = 0x275ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002560000"
filename = ""
Region:
id = 672
start_va = 0x640000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 673
start_va = 0x7ffd4e320000
end_va = 0x7ffd4e479fff
monitored = 0
entry_point = 0x7ffd4e3638e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 674
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 675
start_va = 0x2060000
end_va = 0x211bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002060000"
filename = ""
Region:
id = 676
start_va = 0x2210000
end_va = 0x221ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002210000"
filename = ""
Region:
id = 677
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 678
start_va = 0x7ffd4a370000
end_va = 0x7ffd4a391fff
monitored = 0
entry_point = 0x7ffd4a371a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 687
start_va = 0x7ffd4b200000
end_va = 0x7ffd4b212fff
monitored = 0
entry_point = 0x7ffd4b202760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 688
start_va = 0x7ffd4c900000
end_va = 0x7ffd4c955fff
monitored = 0
entry_point = 0x7ffd4c910bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 689
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 690
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 691
start_va = 0x80000
end_va = 0x80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000080000"
filename = ""
Region:
id = 692
start_va = 0x1d0000
end_va = 0x1d1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001d0000"
filename = ""
Region:
id = 693
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 694
start_va = 0x1f0000
end_va = 0x1f4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 696
start_va = 0x680000
end_va = 0x680fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 706
start_va = 0x690000
end_va = 0x691fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000690000"
filename = ""
Region:
id = 707
start_va = 0x7ffd43ba0000
end_va = 0x7ffd43e13fff
monitored = 0
entry_point = 0x7ffd43c10400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 708
start_va = 0x6a0000
end_va = 0x6a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 709
start_va = 0x6b0000
end_va = 0x6b1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006b0000"
filename = ""
Thread:
id = 14
os_tid = 0x120c
Thread:
id = 15
os_tid = 0xde0
Thread:
id = 17
os_tid = 0x1260
Thread:
id = 20
os_tid = 0x1330
Process:
id = "5"
image_name = "conhost.exe"
filename = "c:\\windows\\system32\\conhost.exe"
page_root = "0x5a613000"
os_pid = "0xcbc"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "3"
os_parent_pid = "0xefc"
cmd_line = "\\??\\C:\\Windows\\system32\\conhost.exe 0xffffffff -ForceV1"
cur_dir = "C:\\Windows"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 597
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 598
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 599
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 600
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 601
start_va = 0x400000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 602
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 603
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 604
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 605
start_va = 0x7ff7625c0000
end_va = 0x7ff7625d0fff
monitored = 0
entry_point = 0x7ff7625c16b0
region_type = mapped_file
name = "conhost.exe"
filename = "\\Windows\\System32\\conhost.exe" (normalized: "c:\\windows\\system32\\conhost.exe")
Region:
id = 606
start_va = 0x7ffd504d0000
end_va = 0x7ffd50690fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 607
start_va = 0x730000
end_va = 0x82ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000730000"
filename = ""
Region:
id = 608
start_va = 0x7ffd4d670000
end_va = 0x7ffd4d857fff
monitored = 0
entry_point = 0x7ffd4d69ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 609
start_va = 0x7ffd4e1c0000
end_va = 0x7ffd4e26cfff
monitored = 0
entry_point = 0x7ffd4e1d81a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 610
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 611
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 612
start_va = 0x90000
end_va = 0x14dfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 616
start_va = 0x7ffd4df00000
end_va = 0x7ffd4df9cfff
monitored = 0
entry_point = 0x7ffd4df078a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 617
start_va = 0x150000
end_va = 0x18ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000150000"
filename = ""
Region:
id = 618
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 619
start_va = 0x190000
end_va = 0x196fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000190000"
filename = ""
Region:
id = 620
start_va = 0x7ffd45030000
end_va = 0x7ffd45088fff
monitored = 0
entry_point = 0x7ffd4503fbf0
region_type = mapped_file
name = "conhostv2.dll"
filename = "\\Windows\\System32\\ConhostV2.dll" (normalized: "c:\\windows\\system32\\conhostv2.dll")
Region:
id = 621
start_va = 0x1a0000
end_va = 0x1a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 622
start_va = 0x7ffd4dc70000
end_va = 0x7ffd4deecfff
monitored = 0
entry_point = 0x7ffd4dd44970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 623
start_va = 0x7ffd4da60000
end_va = 0x7ffd4db7bfff
monitored = 0
entry_point = 0x7ffd4daa02b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 624
start_va = 0x7ffd4d860000
end_va = 0x7ffd4d8c9fff
monitored = 0
entry_point = 0x7ffd4d896d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 625
start_va = 0x7ffd4e9d0000
end_va = 0x7ffd4eb25fff
monitored = 0
entry_point = 0x7ffd4e9da8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 626
start_va = 0x7ffd4d8d0000
end_va = 0x7ffd4da55fff
monitored = 0
entry_point = 0x7ffd4d91ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 627
start_va = 0x1b0000
end_va = 0x1b6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 628
start_va = 0x7ffd50380000
end_va = 0x7ffd504c2fff
monitored = 0
entry_point = 0x7ffd503a8210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 629
start_va = 0x7ffd4e160000
end_va = 0x7ffd4e1bafff
monitored = 0
entry_point = 0x7ffd4e1738b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 630
start_va = 0x7ffd4e2e0000
end_va = 0x7ffd4e31afff
monitored = 0
entry_point = 0x7ffd4e2e12f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 631
start_va = 0x7ffd4db80000
end_va = 0x7ffd4dc40fff
monitored = 0
entry_point = 0x7ffd4dba0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 632
start_va = 0x7ffd4b010000
end_va = 0x7ffd4b195fff
monitored = 0
entry_point = 0x7ffd4b05d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 637
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 638
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 639
start_va = 0x830000
end_va = 0x9b7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000830000"
filename = ""
Region:
id = 640
start_va = 0x9c0000
end_va = 0xb40fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000009c0000"
filename = ""
Region:
id = 641
start_va = 0xb50000
end_va = 0x1f4ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b50000"
filename = ""
Region:
id = 642
start_va = 0x1f50000
end_va = 0x20fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f50000"
filename = ""
Region:
id = 644
start_va = 0x600000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 645
start_va = 0x7ffd4eb30000
end_va = 0x7ffd5008efff
monitored = 0
entry_point = 0x7ffd4ec911f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 646
start_va = 0x7ffd4cb80000
end_va = 0x7ffd4cbc2fff
monitored = 0
entry_point = 0x7ffd4cb94b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 647
start_va = 0x7ffd4cce0000
end_va = 0x7ffd4d323fff
monitored = 0
entry_point = 0x7ffd4cea64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 648
start_va = 0x7ffd4e480000
end_va = 0x7ffd4e526fff
monitored = 0
entry_point = 0x7ffd4e4958d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 649
start_va = 0x7ffd500f0000
end_va = 0x7ffd50141fff
monitored = 0
entry_point = 0x7ffd500ff530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 650
start_va = 0x7ffd4cb70000
end_va = 0x7ffd4cb7efff
monitored = 0
entry_point = 0x7ffd4cb73210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 651
start_va = 0x7ffd4d5b0000
end_va = 0x7ffd4d664fff
monitored = 0
entry_point = 0x7ffd4d5f22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 656
start_va = 0x7ffd4cb10000
end_va = 0x7ffd4cb5afff
monitored = 0
entry_point = 0x7ffd4cb135f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 657
start_va = 0x7ffd4caf0000
end_va = 0x7ffd4cb03fff
monitored = 0
entry_point = 0x7ffd4caf52e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 658
start_va = 0x7ffd4b470000
end_va = 0x7ffd4b505fff
monitored = 0
entry_point = 0x7ffd4b495570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 659
start_va = 0x50000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 661
start_va = 0x2100000
end_va = 0x2436fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 666
start_va = 0x2440000
end_va = 0x2653fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002440000"
filename = ""
Region:
id = 667
start_va = 0x2660000
end_va = 0x287efff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002660000"
filename = ""
Region:
id = 668
start_va = 0x1f50000
end_va = 0x2064fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f50000"
filename = ""
Region:
id = 669
start_va = 0x20f0000
end_va = 0x20fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020f0000"
filename = ""
Region:
id = 670
start_va = 0x2880000
end_va = 0x2a9bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002880000"
filename = ""
Region:
id = 671
start_va = 0x2aa0000
end_va = 0x2bb1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002aa0000"
filename = ""
Region:
id = 679
start_va = 0x640000
end_va = 0x67ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000640000"
filename = ""
Region:
id = 680
start_va = 0x7ffd4e320000
end_va = 0x7ffd4e479fff
monitored = 0
entry_point = 0x7ffd4e3638e0
region_type = mapped_file
name = "msctf.dll"
filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll")
Region:
id = 681
start_va = 0x50000
end_va = 0x50fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 682
start_va = 0x80000
end_va = 0x8ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000080000"
filename = ""
Region:
id = 683
start_va = 0x2bc0000
end_va = 0x2c7bfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002bc0000"
filename = ""
Region:
id = 684
start_va = 0x50000
end_va = 0x53fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000050000"
filename = ""
Region:
id = 685
start_va = 0x7ffd4a370000
end_va = 0x7ffd4a391fff
monitored = 0
entry_point = 0x7ffd4a371a40
region_type = mapped_file
name = "dwmapi.dll"
filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll")
Region:
id = 686
start_va = 0x7ffd4b200000
end_va = 0x7ffd4b212fff
monitored = 0
entry_point = 0x7ffd4b202760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 695
start_va = 0x7ffd4c900000
end_va = 0x7ffd4c955fff
monitored = 0
entry_point = 0x7ffd4c910bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 697
start_va = 0x60000
end_va = 0x66fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 698
start_va = 0x70000
end_va = 0x70fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000070000"
filename = ""
Region:
id = 699
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001e0000"
filename = ""
Region:
id = 700
start_va = 0x1f0000
end_va = 0x1f1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 701
start_va = 0x680000
end_va = 0x680fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000680000"
filename = ""
Region:
id = 702
start_va = 0x690000
end_va = 0x694fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "user32.dll.mui"
filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui")
Region:
id = 703
start_va = 0x6a0000
end_va = 0x6a0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "conhostv2.dll.mui"
filename = "\\Windows\\System32\\en-US\\ConhostV2.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\conhostv2.dll.mui")
Region:
id = 704
start_va = 0x6b0000
end_va = 0x6b1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006b0000"
filename = ""
Region:
id = 705
start_va = 0x7ffd43ba0000
end_va = 0x7ffd43e13fff
monitored = 0
entry_point = 0x7ffd43c10400
region_type = mapped_file
name = "comctl32.dll"
filename = "\\Windows\\WinSxS\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\\comctl32.dll")
Region:
id = 710
start_va = 0x6c0000
end_va = 0x6c0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "windowsshell.manifest"
filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest")
Region:
id = 711
start_va = 0x6d0000
end_va = 0x6d1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000006d0000"
filename = ""
Thread:
id = 16
os_tid = 0x324
Thread:
id = 18
os_tid = 0xe38
Thread:
id = 19
os_tid = 0xe6c
Thread:
id = 21
os_tid = 0xa54
Process:
id = "6"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x76459000"
os_pid = "0x35c"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "created_scheduled_job"
parent_id = "3"
os_parent_pid = "0x214"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000a860" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 773
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 774
start_va = 0x20000
end_va = 0x21fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 775
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 776
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 777
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 778
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 779
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 780
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 781
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001c0000"
filename = ""
Region:
id = 782
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 783
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 784
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 785
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 786
start_va = 0x400000
end_va = 0x400fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 787
start_va = 0x410000
end_va = 0x410fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000410000"
filename = ""
Region:
id = 788
start_va = 0x420000
end_va = 0x421fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "dosvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\dosvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\dosvc.dll.mui")
Region:
id = 789
start_va = 0x430000
end_va = 0x431fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000430000"
filename = ""
Region:
id = 790
start_va = 0x440000
end_va = 0x440fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "usocore.dll.mui"
filename = "\\Windows\\System32\\en-US\\usocore.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\usocore.dll.mui")
Region:
id = 791
start_va = 0x460000
end_va = 0x470fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1256.nls"
filename = "\\Windows\\System32\\C_1256.NLS" (normalized: "c:\\windows\\system32\\c_1256.nls")
Region:
id = 792
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 793
start_va = 0x540000
end_va = 0x546fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 794
start_va = 0x550000
end_va = 0x550fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000550000"
filename = ""
Region:
id = 795
start_va = 0x560000
end_va = 0x5dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 796
start_va = 0x5e0000
end_va = 0x5e1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005e0000"
filename = ""
Region:
id = 797
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 798
start_va = 0x700000
end_va = 0x887fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000700000"
filename = ""
Region:
id = 799
start_va = 0x890000
end_va = 0x890fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000890000"
filename = ""
Region:
id = 800
start_va = 0x8a0000
end_va = 0x8a0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008a0000"
filename = ""
Region:
id = 801
start_va = 0x8b0000
end_va = 0x8b1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008b0000"
filename = ""
Region:
id = 802
start_va = 0x8c0000
end_va = 0x8c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000008c0000"
filename = ""
Region:
id = 803
start_va = 0x8d0000
end_va = 0x8d3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 804
start_va = 0x8e0000
end_va = 0x8e3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 805
start_va = 0x8f0000
end_va = 0x8f6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000008f0000"
filename = ""
Region:
id = 806
start_va = 0x900000
end_va = 0x9fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000900000"
filename = ""
Region:
id = 807
start_va = 0xa00000
end_va = 0xb80fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000a00000"
filename = ""
Region:
id = 808
start_va = 0xb90000
end_va = 0xf8afff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b90000"
filename = ""
Region:
id = 809
start_va = 0xf90000
end_va = 0x100ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f90000"
filename = ""
Region:
id = 810
start_va = 0x1010000
end_va = 0x1054fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db")
Region:
id = 811
start_va = 0x1070000
end_va = 0x1076fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001070000"
filename = ""
Region:
id = 812
start_va = 0x1090000
end_va = 0x1096fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001090000"
filename = ""
Region:
id = 813
start_va = 0x1100000
end_va = 0x11fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001100000"
filename = ""
Region:
id = 814
start_va = 0x1200000
end_va = 0x127ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001200000"
filename = ""
Region:
id = 815
start_va = 0x1280000
end_va = 0x1290fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1251.nls"
filename = "\\Windows\\System32\\C_1251.NLS" (normalized: "c:\\windows\\system32\\c_1251.nls")
Region:
id = 816
start_va = 0x12b0000
end_va = 0x12b6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000012b0000"
filename = ""
Region:
id = 817
start_va = 0x12c0000
end_va = 0x12d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1254.nls"
filename = "\\Windows\\System32\\C_1254.NLS" (normalized: "c:\\windows\\system32\\c_1254.nls")
Region:
id = 818
start_va = 0x12e0000
end_va = 0x12f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1250.nls"
filename = "\\Windows\\System32\\C_1250.NLS" (normalized: "c:\\windows\\system32\\c_1250.nls")
Region:
id = 819
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 820
start_va = 0x1400000
end_va = 0x1736fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 821
start_va = 0x1740000
end_va = 0x183ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001740000"
filename = ""
Region:
id = 822
start_va = 0x1840000
end_va = 0x193ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001840000"
filename = ""
Region:
id = 823
start_va = 0x1940000
end_va = 0x19bffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001940000"
filename = ""
Region:
id = 824
start_va = 0x19c0000
end_va = 0x19d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1253.nls"
filename = "\\Windows\\System32\\C_1253.NLS" (normalized: "c:\\windows\\system32\\c_1253.nls")
Region:
id = 825
start_va = 0x19e0000
end_va = 0x19f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1257.nls"
filename = "\\Windows\\System32\\C_1257.NLS" (normalized: "c:\\windows\\system32\\c_1257.nls")
Region:
id = 826
start_va = 0x1a00000
end_va = 0x1afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001a00000"
filename = ""
Region:
id = 827
start_va = 0x1b00000
end_va = 0x1bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001b00000"
filename = ""
Region:
id = 828
start_va = 0x1c00000
end_va = 0x1cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c00000"
filename = ""
Region:
id = 829
start_va = 0x1d00000
end_va = 0x1dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d00000"
filename = ""
Region:
id = 830
start_va = 0x1e00000
end_va = 0x1efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e00000"
filename = ""
Region:
id = 831
start_va = 0x1f00000
end_va = 0x1ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f00000"
filename = ""
Region:
id = 832
start_va = 0x2000000
end_va = 0x20fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 833
start_va = 0x2100000
end_va = 0x21fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002100000"
filename = ""
Region:
id = 834
start_va = 0x2200000
end_va = 0x227ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 835
start_va = 0x2280000
end_va = 0x2290fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1255.nls"
filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls")
Region:
id = 836
start_va = 0x22a0000
end_va = 0x22c7fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_932.nls"
filename = "\\Windows\\System32\\C_932.NLS" (normalized: "c:\\windows\\system32\\c_932.nls")
Region:
id = 837
start_va = 0x22d0000
end_va = 0x22e0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_874.nls"
filename = "\\Windows\\System32\\C_874.NLS" (normalized: "c:\\windows\\system32\\c_874.nls")
Region:
id = 838
start_va = 0x2300000
end_va = 0x23fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002300000"
filename = ""
Region:
id = 839
start_va = 0x2400000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002400000"
filename = ""
Region:
id = 840
start_va = 0x2500000
end_va = 0x25dffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 841
start_va = 0x25e0000
end_va = 0x25f0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_1258.nls"
filename = "\\Windows\\System32\\C_1258.NLS" (normalized: "c:\\windows\\system32\\c_1258.nls")
Region:
id = 842
start_va = 0x2600000
end_va = 0x26fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 843
start_va = 0x2700000
end_va = 0x27fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002700000"
filename = ""
Region:
id = 844
start_va = 0x2800000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 845
start_va = 0x2900000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 846
start_va = 0x2a00000
end_va = 0x2afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 847
start_va = 0x2b00000
end_va = 0x2bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b00000"
filename = ""
Region:
id = 848
start_va = 0x2c00000
end_va = 0x2cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c00000"
filename = ""
Region:
id = 849
start_va = 0x2d00000
end_va = 0x2dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002d00000"
filename = ""
Region:
id = 850
start_va = 0x2e00000
end_va = 0x2e8dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 851
start_va = 0x2e90000
end_va = 0x2f0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002e90000"
filename = ""
Region:
id = 852
start_va = 0x2f10000
end_va = 0x2f5efff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000002f10000"
filename = ""
Region:
id = 853
start_va = 0x3190000
end_va = 0x320ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003190000"
filename = ""
Region:
id = 854
start_va = 0x3240000
end_va = 0x3246fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003240000"
filename = ""
Region:
id = 855
start_va = 0x3250000
end_va = 0x3280fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_949.nls"
filename = "\\Windows\\System32\\C_949.NLS" (normalized: "c:\\windows\\system32\\c_949.nls")
Region:
id = 856
start_va = 0x32a0000
end_va = 0x32d0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_936.nls"
filename = "\\Windows\\System32\\C_936.NLS" (normalized: "c:\\windows\\system32\\c_936.nls")
Region:
id = 857
start_va = 0x3400000
end_va = 0x34fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003400000"
filename = ""
Region:
id = 858
start_va = 0x3500000
end_va = 0x35fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003500000"
filename = ""
Region:
id = 859
start_va = 0x3600000
end_va = 0x367ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003600000"
filename = ""
Region:
id = 860
start_va = 0x3680000
end_va = 0x36b0fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "c_950.nls"
filename = "\\Windows\\System32\\C_950.NLS" (normalized: "c:\\windows\\system32\\c_950.nls")
Region:
id = 861
start_va = 0x3700000
end_va = 0x37fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003700000"
filename = ""
Region:
id = 862
start_va = 0x3800000
end_va = 0x38fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003800000"
filename = ""
Region:
id = 863
start_va = 0x3900000
end_va = 0x39fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003900000"
filename = ""
Region:
id = 864
start_va = 0x3a00000
end_va = 0x3afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003a00000"
filename = ""
Region:
id = 865
start_va = 0x3b00000
end_va = 0x3bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003b00000"
filename = ""
Region:
id = 866
start_va = 0x3c00000
end_va = 0x3cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003c00000"
filename = ""
Region:
id = 867
start_va = 0x3d00000
end_va = 0x3dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003d00000"
filename = ""
Region:
id = 868
start_va = 0x3e00000
end_va = 0x3efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003e00000"
filename = ""
Region:
id = 869
start_va = 0x3f00000
end_va = 0x3ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003f00000"
filename = ""
Region:
id = 870
start_va = 0x4000000
end_va = 0x40fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004000000"
filename = ""
Region:
id = 871
start_va = 0x4100000
end_va = 0x41fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004100000"
filename = ""
Region:
id = 872
start_va = 0x4200000
end_va = 0x42fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 873
start_va = 0x4300000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004300000"
filename = ""
Region:
id = 874
start_va = 0x4400000
end_va = 0x44fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004400000"
filename = ""
Region:
id = 875
start_va = 0x4500000
end_va = 0x45fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004500000"
filename = ""
Region:
id = 876
start_va = 0x4600000
end_va = 0x46fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004600000"
filename = ""
Region:
id = 877
start_va = 0x4700000
end_va = 0x47fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004700000"
filename = ""
Region:
id = 878
start_va = 0x4900000
end_va = 0x497ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004900000"
filename = ""
Region:
id = 879
start_va = 0x4990000
end_va = 0x4a0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004990000"
filename = ""
Region:
id = 880
start_va = 0x4a20000
end_va = 0x4a9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004a20000"
filename = ""
Region:
id = 881
start_va = 0x4aa0000
end_va = 0x4aa1fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "activeds.dll.mui"
filename = "\\Windows\\System32\\en-US\\activeds.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\activeds.dll.mui")
Region:
id = 882
start_va = 0x4ac0000
end_va = 0x4ac0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000004ac0000"
filename = ""
Region:
id = 883
start_va = 0x4ad0000
end_va = 0x4b4ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004ad0000"
filename = ""
Region:
id = 884
start_va = 0x4b90000
end_va = 0x4b96fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004b90000"
filename = ""
Region:
id = 885
start_va = 0x4e00000
end_va = 0x4efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004e00000"
filename = ""
Region:
id = 886
start_va = 0x4f00000
end_va = 0x4ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004f00000"
filename = ""
Region:
id = 887
start_va = 0x5100000
end_va = 0x51fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005100000"
filename = ""
Region:
id = 888
start_va = 0x5200000
end_va = 0x52fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005200000"
filename = ""
Region:
id = 889
start_va = 0x5400000
end_va = 0x54fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005400000"
filename = ""
Region:
id = 890
start_va = 0x5620000
end_va = 0x5624fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll"
filename = "\\Windows\\System32\\winnlsres.dll" (normalized: "c:\\windows\\system32\\winnlsres.dll")
Region:
id = 891
start_va = 0x5630000
end_va = 0x563ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "winnlsres.dll.mui"
filename = "\\Windows\\System32\\en-US\\winnlsres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winnlsres.dll.mui")
Region:
id = 892
start_va = 0x5650000
end_va = 0x5656fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005650000"
filename = ""
Region:
id = 893
start_va = 0x5660000
end_va = 0x575ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005660000"
filename = ""
Region:
id = 894
start_va = 0x5760000
end_va = 0x585ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005760000"
filename = ""
Region:
id = 895
start_va = 0x5860000
end_va = 0x58dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005860000"
filename = ""
Region:
id = 896
start_va = 0x5900000
end_va = 0x59fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005900000"
filename = ""
Region:
id = 897
start_va = 0x5a80000
end_va = 0x5b7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005a80000"
filename = ""
Region:
id = 898
start_va = 0x5b80000
end_va = 0x5c7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005b80000"
filename = ""
Region:
id = 899
start_va = 0x5d00000
end_va = 0x5dfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005d00000"
filename = ""
Region:
id = 900
start_va = 0x5e00000
end_va = 0x5efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005e00000"
filename = ""
Region:
id = 901
start_va = 0x5f00000
end_va = 0x5ffffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000005f00000"
filename = ""
Region:
id = 902
start_va = 0x6090000
end_va = 0x6096fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006090000"
filename = ""
Region:
id = 903
start_va = 0x6100000
end_va = 0x61fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006100000"
filename = ""
Region:
id = 904
start_va = 0x6200000
end_va = 0x62fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006200000"
filename = ""
Region:
id = 905
start_va = 0x6300000
end_va = 0x63fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006300000"
filename = ""
Region:
id = 906
start_va = 0x6700000
end_va = 0x67fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006700000"
filename = ""
Region:
id = 907
start_va = 0x6800000
end_va = 0x68fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006800000"
filename = ""
Region:
id = 908
start_va = 0x6a00000
end_va = 0x6afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006a00000"
filename = ""
Region:
id = 909
start_va = 0x6b00000
end_va = 0x6bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006b00000"
filename = ""
Region:
id = 910
start_va = 0x6c00000
end_va = 0x6cfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006c00000"
filename = ""
Region:
id = 911
start_va = 0x6e00000
end_va = 0x6efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000006e00000"
filename = ""
Region:
id = 912
start_va = 0x70a0000
end_va = 0x70a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000070a0000"
filename = ""
Region:
id = 913
start_va = 0x7100000
end_va = 0x71fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007100000"
filename = ""
Region:
id = 914
start_va = 0x7310000
end_va = 0x740ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007310000"
filename = ""
Region:
id = 915
start_va = 0x7510000
end_va = 0x760ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007510000"
filename = ""
Region:
id = 916
start_va = 0x7700000
end_va = 0x77fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007700000"
filename = ""
Region:
id = 917
start_va = 0x7810000
end_va = 0x790ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007810000"
filename = ""
Region:
id = 918
start_va = 0x7910000
end_va = 0x7a0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007910000"
filename = ""
Region:
id = 919
start_va = 0x7b00000
end_va = 0x7bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007b00000"
filename = ""
Region:
id = 920
start_va = 0x7c10000
end_va = 0x7d0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007c10000"
filename = ""
Region:
id = 921
start_va = 0x7e00000
end_va = 0x7efffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007e00000"
filename = ""
Region:
id = 922
start_va = 0x7f00000
end_va = 0x7ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000007f00000"
filename = ""
Region:
id = 923
start_va = 0x8210000
end_va = 0x830ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008210000"
filename = ""
Region:
id = 924
start_va = 0x8310000
end_va = 0x840ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008310000"
filename = ""
Region:
id = 925
start_va = 0x8410000
end_va = 0x850ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008410000"
filename = ""
Region:
id = 926
start_va = 0x8510000
end_va = 0x860ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008510000"
filename = ""
Region:
id = 927
start_va = 0x8610000
end_va = 0x870ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008610000"
filename = ""
Region:
id = 928
start_va = 0x8710000
end_va = 0x880ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008710000"
filename = ""
Region:
id = 929
start_va = 0x8910000
end_va = 0x8a0ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008910000"
filename = ""
Region:
id = 930
start_va = 0x8b00000
end_va = 0x8bfffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000008b00000"
filename = ""
Region:
id = 931
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 932
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 933
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 934
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 935
start_va = 0x7ff661bf0000
end_va = 0x7ff661bfcfff
monitored = 0
entry_point = 0x7ff661bf3980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 936
start_va = 0x7ffd33f40000
end_va = 0x7ffd341effff
monitored = 0
entry_point = 0x7ffd33f41cf0
region_type = mapped_file
name = "netshell.dll"
filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll")
Region:
id = 937
start_va = 0x7ffd342e0000
end_va = 0x7ffd342e7fff
monitored = 0
entry_point = 0x7ffd342e13b0
region_type = mapped_file
name = "dmiso8601utils.dll"
filename = "\\Windows\\System32\\dmiso8601utils.dll" (normalized: "c:\\windows\\system32\\dmiso8601utils.dll")
Region:
id = 938
start_va = 0x7ffd34520000
end_va = 0x7ffd34536fff
monitored = 0
entry_point = 0x7ffd34527520
region_type = mapped_file
name = "usoapi.dll"
filename = "\\Windows\\System32\\usoapi.dll" (normalized: "c:\\windows\\system32\\usoapi.dll")
Region:
id = 939
start_va = 0x7ffd345b0000
end_va = 0x7ffd345f3fff
monitored = 0
entry_point = 0x7ffd345d83e0
region_type = mapped_file
name = "updatehandlers.dll"
filename = "\\Windows\\System32\\updatehandlers.dll" (normalized: "c:\\windows\\system32\\updatehandlers.dll")
Region:
id = 940
start_va = 0x7ffd347c0000
end_va = 0x7ffd347fefff
monitored = 0
entry_point = 0x7ffd347e82d0
region_type = mapped_file
name = "tcpipcfg.dll"
filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll")
Region:
id = 941
start_va = 0x7ffd34800000
end_va = 0x7ffd34817fff
monitored = 0
entry_point = 0x7ffd3480b850
region_type = mapped_file
name = "dmcmnutils.dll"
filename = "\\Windows\\System32\\dmcmnutils.dll" (normalized: "c:\\windows\\system32\\dmcmnutils.dll")
Region:
id = 942
start_va = 0x7ffd34820000
end_va = 0x7ffd3487cfff
monitored = 0
entry_point = 0x7ffd3484e510
region_type = mapped_file
name = "usocore.dll"
filename = "\\Windows\\System32\\usocore.dll" (normalized: "c:\\windows\\system32\\usocore.dll")
Region:
id = 943
start_va = 0x7ffd35630000
end_va = 0x7ffd35647fff
monitored = 0
entry_point = 0x7ffd35631b10
region_type = mapped_file
name = "locationframeworkinternalps.dll"
filename = "\\Windows\\System32\\LocationFrameworkInternalPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkinternalps.dll")
Region:
id = 944
start_va = 0x7ffd357e0000
end_va = 0x7ffd35825fff
monitored = 0
entry_point = 0x7ffd357e79a0
region_type = mapped_file
name = "adsldp.dll"
filename = "\\Windows\\System32\\adsldp.dll" (normalized: "c:\\windows\\system32\\adsldp.dll")
Region:
id = 945
start_va = 0x7ffd35830000
end_va = 0x7ffd35841fff
monitored = 0
entry_point = 0x7ffd35831a80
region_type = mapped_file
name = "bitsproxy.dll"
filename = "\\Windows\\System32\\BitsProxy.dll" (normalized: "c:\\windows\\system32\\bitsproxy.dll")
Region:
id = 946
start_va = 0x7ffd35e10000
end_va = 0x7ffd35e41fff
monitored = 0
entry_point = 0x7ffd35e1b0c0
region_type = mapped_file
name = "shacct.dll"
filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll")
Region:
id = 947
start_va = 0x7ffd363e0000
end_va = 0x7ffd364eefff
monitored = 0
entry_point = 0x7ffd3641c010
region_type = mapped_file
name = "dosvc.dll"
filename = "\\Windows\\System32\\dosvc.dll" (normalized: "c:\\windows\\system32\\dosvc.dll")
Region:
id = 948
start_va = 0x7ffd368f0000
end_va = 0x7ffd36956fff
monitored = 0
entry_point = 0x7ffd368fb160
region_type = mapped_file
name = "upnp.dll"
filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll")
Region:
id = 949
start_va = 0x7ffd36960000
end_va = 0x7ffd36a7cfff
monitored = 0
entry_point = 0x7ffd3698fe60
region_type = mapped_file
name = "qmgr.dll"
filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll")
Region:
id = 950
start_va = 0x7ffd38070000
end_va = 0x7ffd3808cfff
monitored = 0
entry_point = 0x7ffd38074f60
region_type = mapped_file
name = "appinfo.dll"
filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll")
Region:
id = 951
start_va = 0x7ffd3af10000
end_va = 0x7ffd3af45fff
monitored = 0
entry_point = 0x7ffd3af127f0
region_type = mapped_file
name = "windows.networking.hostname.dll"
filename = "\\Windows\\System32\\Windows.Networking.HostName.dll" (normalized: "c:\\windows\\system32\\windows.networking.hostname.dll")
Region:
id = 952
start_va = 0x7ffd3c980000
end_va = 0x7ffd3c990fff
monitored = 0
entry_point = 0x7ffd3c987480
region_type = mapped_file
name = "tetheringclient.dll"
filename = "\\Windows\\System32\\tetheringclient.dll" (normalized: "c:\\windows\\system32\\tetheringclient.dll")
Region:
id = 953
start_va = 0x7ffd3c9a0000
end_va = 0x7ffd3ca23fff
monitored = 0
entry_point = 0x7ffd3c9b8d50
region_type = mapped_file
name = "wbemess.dll"
filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll")
Region:
id = 954
start_va = 0x7ffd3ca30000
end_va = 0x7ffd3ca45fff
monitored = 0
entry_point = 0x7ffd3ca31af0
region_type = mapped_file
name = "napinsp.dll"
filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll")
Region:
id = 955
start_va = 0x7ffd3ca50000
end_va = 0x7ffd3ca69fff
monitored = 0
entry_point = 0x7ffd3ca52330
region_type = mapped_file
name = "pnrpnsp.dll"
filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll")
Region:
id = 956
start_va = 0x7ffd3ca70000
end_va = 0x7ffd3ca7cfff
monitored = 0
entry_point = 0x7ffd3ca71420
region_type = mapped_file
name = "winrnr.dll"
filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll")
Region:
id = 957
start_va = 0x7ffd3cb30000
end_va = 0x7ffd3cb45fff
monitored = 0
entry_point = 0x7ffd3cb355e0
region_type = mapped_file
name = "ncobjapi.dll"
filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll")
Region:
id = 958
start_va = 0x7ffd3cb50000
end_va = 0x7ffd3cc25fff
monitored = 0
entry_point = 0x7ffd3cb7a800
region_type = mapped_file
name = "wmiprvsd.dll"
filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll")
Region:
id = 959
start_va = 0x7ffd3cc30000
end_va = 0x7ffd3cc93fff
monitored = 0
entry_point = 0x7ffd3cc4bed0
region_type = mapped_file
name = "repdrvfs.dll"
filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll")
Region:
id = 960
start_va = 0x7ffd3cca0000
end_va = 0x7ffd3ccc4fff
monitored = 0
entry_point = 0x7ffd3cca9900
region_type = mapped_file
name = "wmiutils.dll"
filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll")
Region:
id = 961
start_va = 0x7ffd3ccd0000
end_va = 0x7ffd3cdc5fff
monitored = 0
entry_point = 0x7ffd3cd09590
region_type = mapped_file
name = "fastprox.dll"
filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll")
Region:
id = 962
start_va = 0x7ffd3cdd0000
end_va = 0x7ffd3cf06fff
monitored = 0
entry_point = 0x7ffd3ce10480
region_type = mapped_file
name = "wbemcore.dll"
filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll")
Region:
id = 963
start_va = 0x7ffd3cf30000
end_va = 0x7ffd3cf3efff
monitored = 0
entry_point = 0x7ffd3cf34960
region_type = mapped_file
name = "nci.dll"
filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll")
Region:
id = 964
start_va = 0x7ffd3d070000
end_va = 0x7ffd3d080fff
monitored = 0
entry_point = 0x7ffd3d072fc0
region_type = mapped_file
name = "wbemprox.dll"
filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll")
Region:
id = 965
start_va = 0x7ffd3d090000
end_va = 0x7ffd3d0adfff
monitored = 0
entry_point = 0x7ffd3d093a40
region_type = mapped_file
name = "atl.dll"
filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll")
Region:
id = 966
start_va = 0x7ffd3d0b0000
end_va = 0x7ffd3d131fff
monitored = 0
entry_point = 0x7ffd3d0b2a10
region_type = mapped_file
name = "hnetcfg.dll"
filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll")
Region:
id = 967
start_va = 0x7ffd3d150000
end_va = 0x7ffd3d163fff
monitored = 0
entry_point = 0x7ffd3d151800
region_type = mapped_file
name = "wbemsvc.dll"
filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll")
Region:
id = 968
start_va = 0x7ffd3d170000
end_va = 0x7ffd3d1e3fff
monitored = 0
entry_point = 0x7ffd3d185eb0
region_type = mapped_file
name = "esscli.dll"
filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll")
Region:
id = 969
start_va = 0x7ffd3dd00000
end_va = 0x7ffd3dd3ffff
monitored = 0
entry_point = 0x7ffd3dd0cbe0
region_type = mapped_file
name = "adsldpc.dll"
filename = "\\Windows\\System32\\adsldpc.dll" (normalized: "c:\\windows\\system32\\adsldpc.dll")
Region:
id = 970
start_va = 0x7ffd3dd40000
end_va = 0x7ffd3dd86fff
monitored = 0
entry_point = 0x7ffd3dd41d10
region_type = mapped_file
name = "activeds.dll"
filename = "\\Windows\\System32\\activeds.dll" (normalized: "c:\\windows\\system32\\activeds.dll")
Region:
id = 971
start_va = 0x7ffd3dd90000
end_va = 0x7ffd3ddd1fff
monitored = 0
entry_point = 0x7ffd3dd93670
region_type = mapped_file
name = "wdscore.dll"
filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll")
Region:
id = 972
start_va = 0x7ffd3de00000
end_va = 0x7ffd3de10fff
monitored = 0
entry_point = 0x7ffd3de028d0
region_type = mapped_file
name = "credentialmigrationhandler.dll"
filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll")
Region:
id = 973
start_va = 0x7ffd3e040000
end_va = 0x7ffd3e05efff
monitored = 0
entry_point = 0x7ffd3e0437e0
region_type = mapped_file
name = "netsetupapi.dll"
filename = "\\Windows\\System32\\NetSetupApi.dll" (normalized: "c:\\windows\\system32\\netsetupapi.dll")
Region:
id = 974
start_va = 0x7ffd3e060000
end_va = 0x7ffd3e0d8fff
monitored = 0
entry_point = 0x7ffd3e0676a0
region_type = mapped_file
name = "netsetupshim.dll"
filename = "\\Windows\\System32\\NetSetupShim.dll" (normalized: "c:\\windows\\system32\\netsetupshim.dll")
Region:
id = 975
start_va = 0x7ffd3e330000
end_va = 0x7ffd3e347fff
monitored = 0
entry_point = 0x7ffd3e334e10
region_type = mapped_file
name = "adhsvc.dll"
filename = "\\Windows\\System32\\adhsvc.dll" (normalized: "c:\\windows\\system32\\adhsvc.dll")
Region:
id = 976
start_va = 0x7ffd3e350000
end_va = 0x7ffd3e374fff
monitored = 0
entry_point = 0x7ffd3e355ca0
region_type = mapped_file
name = "httpprxm.dll"
filename = "\\Windows\\System32\\httpprxm.dll" (normalized: "c:\\windows\\system32\\httpprxm.dll")
Region:
id = 977
start_va = 0x7ffd3e380000
end_va = 0x7ffd3e422fff
monitored = 0
entry_point = 0x7ffd3e382c10
region_type = mapped_file
name = "clusapi.dll"
filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll")
Region:
id = 978
start_va = 0x7ffd3e430000
end_va = 0x7ffd3e481fff
monitored = 0
entry_point = 0x7ffd3e435770
region_type = mapped_file
name = "resutils.dll"
filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll")
Region:
id = 979
start_va = 0x7ffd3e490000
end_va = 0x7ffd3e4bdfff
monitored = 1
entry_point = 0x7ffd3e492300
region_type = mapped_file
name = "wmidcom.dll"
filename = "\\Windows\\System32\\wmidcom.dll" (normalized: "c:\\windows\\system32\\wmidcom.dll")
Region:
id = 980
start_va = 0x7ffd3e4c0000
end_va = 0x7ffd3e51dfff
monitored = 0
entry_point = 0x7ffd3e4c5080
region_type = mapped_file
name = "miutils.dll"
filename = "\\Windows\\System32\\miutils.dll" (normalized: "c:\\windows\\system32\\miutils.dll")
Region:
id = 981
start_va = 0x7ffd3e520000
end_va = 0x7ffd3e53ffff
monitored = 0
entry_point = 0x7ffd3e521f50
region_type = mapped_file
name = "mi.dll"
filename = "\\Windows\\System32\\mi.dll" (normalized: "c:\\windows\\system32\\mi.dll")
Region:
id = 982
start_va = 0x7ffd3e540000
end_va = 0x7ffd3e548fff
monitored = 0
entry_point = 0x7ffd3e5418f0
region_type = mapped_file
name = "sscoreext.dll"
filename = "\\Windows\\System32\\sscoreext.dll" (normalized: "c:\\windows\\system32\\sscoreext.dll")
Region:
id = 983
start_va = 0x7ffd3e550000
end_va = 0x7ffd3e560fff
monitored = 0
entry_point = 0x7ffd3e551d30
region_type = mapped_file
name = "sscore.dll"
filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll")
Region:
id = 984
start_va = 0x7ffd3e570000
end_va = 0x7ffd3e5b0fff
monitored = 0
entry_point = 0x7ffd3e573750
region_type = mapped_file
name = "sqmapi.dll"
filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll")
Region:
id = 985
start_va = 0x7ffd3e5c0000
end_va = 0x7ffd3e6b2fff
monitored = 0
entry_point = 0x7ffd3e5e5d80
region_type = mapped_file
name = "iphlpsvc.dll"
filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll")
Region:
id = 986
start_va = 0x7ffd3e700000
end_va = 0x7ffd3e74bfff
monitored = 0
entry_point = 0x7ffd3e715310
region_type = mapped_file
name = "srvsvc.dll"
filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll")
Region:
id = 987
start_va = 0x7ffd3e990000
end_va = 0x7ffd3e9a3fff
monitored = 0
entry_point = 0x7ffd3e993710
region_type = mapped_file
name = "mskeyprotect.dll"
filename = "\\Windows\\System32\\mskeyprotect.dll" (normalized: "c:\\windows\\system32\\mskeyprotect.dll")
Region:
id = 988
start_va = 0x7ffd3e9b0000
end_va = 0x7ffd3e9d7fff
monitored = 0
entry_point = 0x7ffd3e9befc0
region_type = mapped_file
name = "dssenh.dll"
filename = "\\Windows\\System32\\dssenh.dll" (normalized: "c:\\windows\\system32\\dssenh.dll")
Region:
id = 989
start_va = 0x7ffd3ea40000
end_va = 0x7ffd3ea5dfff
monitored = 0
entry_point = 0x7ffd3ea4ef80
region_type = mapped_file
name = "ncryptsslp.dll"
filename = "\\Windows\\System32\\ncryptsslp.dll" (normalized: "c:\\windows\\system32\\ncryptsslp.dll")
Region:
id = 990
start_va = 0x7ffd3ea60000
end_va = 0x7ffd3ea77fff
monitored = 0
entry_point = 0x7ffd3ea62000
region_type = mapped_file
name = "vsstrace.dll"
filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll")
Region:
id = 991
start_va = 0x7ffd3ea80000
end_va = 0x7ffd3ec01fff
monitored = 0
entry_point = 0x7ffd3ea982a0
region_type = mapped_file
name = "vssapi.dll"
filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll")
Region:
id = 992
start_va = 0x7ffd3ec90000
end_va = 0x7ffd3ed0efff
monitored = 0
entry_point = 0x7ffd3eca7110
region_type = mapped_file
name = "wbemcomn.dll"
filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll")
Region:
id = 993
start_va = 0x7ffd3ed10000
end_va = 0x7ffd3ed4bfff
monitored = 0
entry_point = 0x7ffd3ed16aa0
region_type = mapped_file
name = "wmisvc.dll"
filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll")
Region:
id = 994
start_va = 0x7ffd3ed50000
end_va = 0x7ffd3ed5bfff
monitored = 0
entry_point = 0x7ffd3ed535c0
region_type = mapped_file
name = "secur32.dll"
filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll")
Region:
id = 995
start_va = 0x7ffd402d0000
end_va = 0x7ffd40304fff
monitored = 0
entry_point = 0x7ffd402da270
region_type = mapped_file
name = "fwpolicyiomgr.dll"
filename = "\\Windows\\System32\\fwpolicyiomgr.dll" (normalized: "c:\\windows\\system32\\fwpolicyiomgr.dll")
Region:
id = 996
start_va = 0x7ffd40310000
end_va = 0x7ffd4038ffff
monitored = 0
entry_point = 0x7ffd4033d280
region_type = mapped_file
name = "webio.dll"
filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll")
Region:
id = 997
start_va = 0x7ffd403c0000
end_va = 0x7ffd403fffff
monitored = 0
entry_point = 0x7ffd403d6c60
region_type = mapped_file
name = "netprofm.dll"
filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll")
Region:
id = 998
start_va = 0x7ffd40b80000
end_va = 0x7ffd40ba1fff
monitored = 0
entry_point = 0x7ffd40b92540
region_type = mapped_file
name = "updatepolicy.dll"
filename = "\\Windows\\System32\\updatepolicy.dll" (normalized: "c:\\windows\\system32\\updatepolicy.dll")
Region:
id = 999
start_va = 0x7ffd40bb0000
end_va = 0x7ffd40c84fff
monitored = 0
entry_point = 0x7ffd40bccf80
region_type = mapped_file
name = "wuapi.dll"
filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll")
Region:
id = 1000
start_va = 0x7ffd40d50000
end_va = 0x7ffd40d58fff
monitored = 0
entry_point = 0x7ffd40d521d0
region_type = mapped_file
name = "httpprxc.dll"
filename = "\\Windows\\System32\\httpprxc.dll" (normalized: "c:\\windows\\system32\\httpprxc.dll")
Region:
id = 1001
start_va = 0x7ffd410e0000
end_va = 0x7ffd410f5fff
monitored = 0
entry_point = 0x7ffd410e1d50
region_type = mapped_file
name = "wwapi.dll"
filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll")
Region:
id = 1002
start_va = 0x7ffd41d70000
end_va = 0x7ffd41d79fff
monitored = 0
entry_point = 0x7ffd41d71350
region_type = mapped_file
name = "version.dll"
filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll")
Region:
id = 1003
start_va = 0x7ffd422e0000
end_va = 0x7ffd422f1fff
monitored = 0
entry_point = 0x7ffd422e3580
region_type = mapped_file
name = "cscapi.dll"
filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll")
Region:
id = 1004
start_va = 0x7ffd44840000
end_va = 0x7ffd4485afff
monitored = 0
entry_point = 0x7ffd44841040
region_type = mapped_file
name = "mpr.dll"
filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll")
Region:
id = 1005
start_va = 0x7ffd44af0000
end_va = 0x7ffd44af9fff
monitored = 0
entry_point = 0x7ffd44af14c0
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Region:
id = 1006
start_va = 0x7ffd44b00000
end_va = 0x7ffd44b0dfff
monitored = 0
entry_point = 0x7ffd44b01460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1007
start_va = 0x7ffd44b10000
end_va = 0x7ffd44b23fff
monitored = 0
entry_point = 0x7ffd44b12a00
region_type = mapped_file
name = "bitsigd.dll"
filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll")
Region:
id = 1008
start_va = 0x7ffd44b30000
end_va = 0x7ffd44b44fff
monitored = 0
entry_point = 0x7ffd44b32dc0
region_type = mapped_file
name = "ondemandconnroutehelper.dll"
filename = "\\Windows\\System32\\OnDemandConnRouteHelper.dll" (normalized: "c:\\windows\\system32\\ondemandconnroutehelper.dll")
Region:
id = 1009
start_va = 0x7ffd44b50000
end_va = 0x7ffd44b5bfff
monitored = 0
entry_point = 0x7ffd44b52830
region_type = mapped_file
name = "bi.dll"
filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")
Region:
id = 1010
start_va = 0x7ffd45150000
end_va = 0x7ffd4515ffff
monitored = 0
entry_point = 0x7ffd45151700
region_type = mapped_file
name = "proximityservicepal.dll"
filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")
Region:
id = 1011
start_va = 0x7ffd45160000
end_va = 0x7ffd45168fff
monitored = 0
entry_point = 0x7ffd45161ed0
region_type = mapped_file
name = "proximitycommonpal.dll"
filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")
Region:
id = 1012
start_va = 0x7ffd45170000
end_va = 0x7ffd4519cfff
monitored = 0
entry_point = 0x7ffd45172290
region_type = mapped_file
name = "proximitycommon.dll"
filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")
Region:
id = 1013
start_va = 0x7ffd451a0000
end_va = 0x7ffd451f1fff
monitored = 0
entry_point = 0x7ffd451a38e0
region_type = mapped_file
name = "proximityservice.dll"
filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")
Region:
id = 1014
start_va = 0x7ffd452a0000
end_va = 0x7ffd452b4fff
monitored = 0
entry_point = 0x7ffd452a3460
region_type = mapped_file
name = "ssdpapi.dll"
filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll")
Region:
id = 1015
start_va = 0x7ffd45390000
end_va = 0x7ffd45429fff
monitored = 0
entry_point = 0x7ffd453aada0
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 1016
start_va = 0x7ffd45440000
end_va = 0x7ffd454a6fff
monitored = 0
entry_point = 0x7ffd454463e0
region_type = mapped_file
name = "fwpuclnt.dll"
filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll")
Region:
id = 1017
start_va = 0x7ffd45500000
end_va = 0x7ffd455bffff
monitored = 0
entry_point = 0x7ffd4552fd20
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 1018
start_va = 0x7ffd455c0000
end_va = 0x7ffd4566dfff
monitored = 0
entry_point = 0x7ffd455d80c0
region_type = mapped_file
name = "windows.networking.connectivity.dll"
filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")
Region:
id = 1019
start_va = 0x7ffd45670000
end_va = 0x7ffd45681fff
monitored = 0
entry_point = 0x7ffd45679260
region_type = mapped_file
name = "rilproxy.dll"
filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")
Region:
id = 1020
start_va = 0x7ffd45690000
end_va = 0x7ffd45740fff
monitored = 0
entry_point = 0x7ffd457088b0
region_type = mapped_file
name = "cellularapi.dll"
filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")
Region:
id = 1021
start_va = 0x7ffd45750000
end_va = 0x7ffd4575afff
monitored = 0
entry_point = 0x7ffd45751d30
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1022
start_va = 0x7ffd45760000
end_va = 0x7ffd45784fff
monitored = 0
entry_point = 0x7ffd45772f20
region_type = mapped_file
name = "wificonnapi.dll"
filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")
Region:
id = 1023
start_va = 0x7ffd45790000
end_va = 0x7ffd457a0fff
monitored = 0
entry_point = 0x7ffd45797ea0
region_type = mapped_file
name = "dcpapi.dll"
filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")
Region:
id = 1024
start_va = 0x7ffd458a0000
end_va = 0x7ffd458b9fff
monitored = 0
entry_point = 0x7ffd458a2cf0
region_type = mapped_file
name = "locationpelegacywinlocation.dll"
filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")
Region:
id = 1025
start_va = 0x7ffd458c0000
end_va = 0x7ffd45914fff
monitored = 0
entry_point = 0x7ffd458c3fb0
region_type = mapped_file
name = "policymanager.dll"
filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")
Region:
id = 1026
start_va = 0x7ffd45920000
end_va = 0x7ffd45956fff
monitored = 0
entry_point = 0x7ffd45926020
region_type = mapped_file
name = "gnssadapter.dll"
filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")
Region:
id = 1027
start_va = 0x7ffd45960000
end_va = 0x7ffd4597ffff
monitored = 0
entry_point = 0x7ffd459639a0
region_type = mapped_file
name = "locationwinpalmisc.dll"
filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")
Region:
id = 1028
start_va = 0x7ffd45a10000
end_va = 0x7ffd45a29fff
monitored = 0
entry_point = 0x7ffd45a12430
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 1029
start_va = 0x7ffd45a30000
end_va = 0x7ffd45a45fff
monitored = 0
entry_point = 0x7ffd45a319f0
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 1030
start_va = 0x7ffd45aa0000
end_va = 0x7ffd45ae0fff
monitored = 0
entry_point = 0x7ffd45aa4840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 1031
start_va = 0x7ffd45b60000
end_va = 0x7ffd45b73fff
monitored = 0
entry_point = 0x7ffd45b62d50
region_type = mapped_file
name = "rtutils.dll"
filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll")
Region:
id = 1032
start_va = 0x7ffd45e60000
end_va = 0x7ffd45ef2fff
monitored = 0
entry_point = 0x7ffd45e69680
region_type = mapped_file
name = "msvcp_win.dll"
filename = "\\Windows\\System32\\msvcp_win.dll" (normalized: "c:\\windows\\system32\\msvcp_win.dll")
Region:
id = 1033
start_va = 0x7ffd45f20000
end_va = 0x7ffd45f2afff
monitored = 0
entry_point = 0x7ffd45f21de0
region_type = mapped_file
name = "bitsperf.dll"
filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll")
Region:
id = 1034
start_va = 0x7ffd45f80000
end_va = 0x7ffd45f9efff
monitored = 0
entry_point = 0x7ffd45f84960
region_type = mapped_file
name = "ncprov.dll"
filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll")
Region:
id = 1035
start_va = 0x7ffd460b0000
end_va = 0x7ffd460e7fff
monitored = 0
entry_point = 0x7ffd460c8cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1036
start_va = 0x7ffd46190000
end_va = 0x7ffd461a8fff
monitored = 0
entry_point = 0x7ffd46194520
region_type = mapped_file
name = "samcli.dll"
filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll")
Region:
id = 1037
start_va = 0x7ffd46650000
end_va = 0x7ffd4665bfff
monitored = 0
entry_point = 0x7ffd466514d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1038
start_va = 0x7ffd46920000
end_va = 0x7ffd469e7fff
monitored = 0
entry_point = 0x7ffd469613f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1039
start_va = 0x7ffd469f0000
end_va = 0x7ffd46a50fff
monitored = 0
entry_point = 0x7ffd469f4b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1040
start_va = 0x7ffd46a60000
end_va = 0x7ffd46bdbfff
monitored = 0
entry_point = 0x7ffd46ab1650
region_type = mapped_file
name = "locationframework.dll"
filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")
Region:
id = 1041
start_va = 0x7ffd46be0000
end_va = 0x7ffd46beafff
monitored = 0
entry_point = 0x7ffd46be1770
region_type = mapped_file
name = "lfsvc.dll"
filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")
Region:
id = 1042
start_va = 0x7ffd46dd0000
end_va = 0x7ffd46eb5fff
monitored = 0
entry_point = 0x7ffd46decf10
region_type = mapped_file
name = "usermgr.dll"
filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")
Region:
id = 1043
start_va = 0x7ffd47080000
end_va = 0x7ffd47401fff
monitored = 0
entry_point = 0x7ffd470d1220
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1044
start_va = 0x7ffd47410000
end_va = 0x7ffd47545fff
monitored = 0
entry_point = 0x7ffd4743f350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 1045
start_va = 0x7ffd48640000
end_va = 0x7ffd4874dfff
monitored = 0
entry_point = 0x7ffd4868eaa0
region_type = mapped_file
name = "mrmcorer.dll"
filename = "\\Windows\\System32\\MrmCoreR.dll" (normalized: "c:\\windows\\system32\\mrmcorer.dll")
Region:
id = 1046
start_va = 0x7ffd48a50000
end_va = 0x7ffd48a66fff
monitored = 0
entry_point = 0x7ffd48a55630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1047
start_va = 0x7ffd48a70000
end_va = 0x7ffd48ab9fff
monitored = 0
entry_point = 0x7ffd48a7ac30
region_type = mapped_file
name = "deviceaccess.dll"
filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll")
Region:
id = 1048
start_va = 0x7ffd48b10000
end_va = 0x7ffd48b4dfff
monitored = 0
entry_point = 0x7ffd48b1a050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1049
start_va = 0x7ffd48b50000
end_va = 0x7ffd48b76fff
monitored = 0
entry_point = 0x7ffd48b53bf0
region_type = mapped_file
name = "profsvcext.dll"
filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")
Region:
id = 1050
start_va = 0x7ffd48b80000
end_va = 0x7ffd48bf9fff
monitored = 0
entry_point = 0x7ffd48ba7630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1051
start_va = 0x7ffd48c00000
end_va = 0x7ffd48c12fff
monitored = 0
entry_point = 0x7ffd48c057f0
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1052
start_va = 0x7ffd48c20000
end_va = 0x7ffd48c74fff
monitored = 0
entry_point = 0x7ffd48c2fc00
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1053
start_va = 0x7ffd48c80000
end_va = 0x7ffd48cadfff
monitored = 0
entry_point = 0x7ffd48c87550
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1054
start_va = 0x7ffd48cb0000
end_va = 0x7ffd48cc5fff
monitored = 0
entry_point = 0x7ffd48cb1b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1055
start_va = 0x7ffd48cd0000
end_va = 0x7ffd48d33fff
monitored = 0
entry_point = 0x7ffd48ce5ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1056
start_va = 0x7ffd48d80000
end_va = 0x7ffd48e11fff
monitored = 0
entry_point = 0x7ffd48dca780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1057
start_va = 0x7ffd49080000
end_va = 0x7ffd4908ffff
monitored = 0
entry_point = 0x7ffd49082c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 1058
start_va = 0x7ffd49090000
end_va = 0x7ffd4909cfff
monitored = 0
entry_point = 0x7ffd49092ca0
region_type = mapped_file
name = "csystemeventsbrokerclient.dll"
filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")
Region:
id = 1059
start_va = 0x7ffd490a0000
end_va = 0x7ffd490cefff
monitored = 0
entry_point = 0x7ffd490a8910
region_type = mapped_file
name = "wptaskscheduler.dll"
filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")
Region:
id = 1060
start_va = 0x7ffd490d0000
end_va = 0x7ffd4913dfff
monitored = 0
entry_point = 0x7ffd490d7f60
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1061
start_va = 0x7ffd49140000
end_va = 0x7ffd49150fff
monitored = 0
entry_point = 0x7ffd49143320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1062
start_va = 0x7ffd49160000
end_va = 0x7ffd491a0fff
monitored = 0
entry_point = 0x7ffd49177eb0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1063
start_va = 0x7ffd491b0000
end_va = 0x7ffd492abfff
monitored = 0
entry_point = 0x7ffd491e6df0
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1064
start_va = 0x7ffd492b0000
end_va = 0x7ffd4936efff
monitored = 0
entry_point = 0x7ffd492d1c50
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1065
start_va = 0x7ffd493a0000
end_va = 0x7ffd493d5fff
monitored = 0
entry_point = 0x7ffd493b0070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1066
start_va = 0x7ffd49c30000
end_va = 0x7ffd49c39fff
monitored = 0
entry_point = 0x7ffd49c31660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1067
start_va = 0x7ffd49c40000
end_va = 0x7ffd49c57fff
monitored = 0
entry_point = 0x7ffd49c45910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1068
start_va = 0x7ffd49c60000
end_va = 0x7ffd49dacfff
monitored = 0
entry_point = 0x7ffd49ca3da0
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1069
start_va = 0x7ffd4a3c0000
end_va = 0x7ffd4a3c7fff
monitored = 0
entry_point = 0x7ffd4a3c13e0
region_type = mapped_file
name = "dabapi.dll"
filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")
Region:
id = 1070
start_va = 0x7ffd4a880000
end_va = 0x7ffd4a8f8fff
monitored = 0
entry_point = 0x7ffd4a89fb90
region_type = mapped_file
name = "apphelp.dll"
filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll")
Region:
id = 1071
start_va = 0x7ffd4aab0000
end_va = 0x7ffd4af42fff
monitored = 0
entry_point = 0x7ffd4aabf760
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 1072
start_va = 0x7ffd4af50000
end_va = 0x7ffd4afb6fff
monitored = 0
entry_point = 0x7ffd4af6e710
region_type = mapped_file
name = "bcp47langs.dll"
filename = "\\Windows\\System32\\BCP47Langs.dll" (normalized: "c:\\windows\\system32\\bcp47langs.dll")
Region:
id = 1073
start_va = 0x7ffd4b010000
end_va = 0x7ffd4b195fff
monitored = 0
entry_point = 0x7ffd4b05d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1074
start_va = 0x7ffd4b1a0000
end_va = 0x7ffd4b1bbfff
monitored = 0
entry_point = 0x7ffd4b1a37a0
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 1075
start_va = 0x7ffd4b200000
end_va = 0x7ffd4b212fff
monitored = 0
entry_point = 0x7ffd4b202760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1076
start_va = 0x7ffd4b3a0000
end_va = 0x7ffd4b3dffff
monitored = 0
entry_point = 0x7ffd4b3b1960
region_type = mapped_file
name = "brokerlib.dll"
filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")
Region:
id = 1077
start_va = 0x7ffd4b530000
end_va = 0x7ffd4b556fff
monitored = 0
entry_point = 0x7ffd4b537940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1078
start_va = 0x7ffd4b560000
end_va = 0x7ffd4b591fff
monitored = 0
entry_point = 0x7ffd4b572340
region_type = mapped_file
name = "fwbase.dll"
filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")
Region:
id = 1079
start_va = 0x7ffd4b5a0000
end_va = 0x7ffd4b5abfff
monitored = 0
entry_point = 0x7ffd4b5a2480
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1080
start_va = 0x7ffd4b670000
end_va = 0x7ffd4b719fff
monitored = 0
entry_point = 0x7ffd4b697910
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1081
start_va = 0x7ffd4b720000
end_va = 0x7ffd4b81ffff
monitored = 0
entry_point = 0x7ffd4b760f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 1082
start_va = 0x7ffd4bae0000
end_va = 0x7ffd4baebfff
monitored = 0
entry_point = 0x7ffd4bae2790
region_type = mapped_file
name = "hid.dll"
filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")
Region:
id = 1083
start_va = 0x7ffd4baf0000
end_va = 0x7ffd4bb13fff
monitored = 0
entry_point = 0x7ffd4baf3260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1084
start_va = 0x7ffd4bc90000
end_va = 0x7ffd4bd83fff
monitored = 0
entry_point = 0x7ffd4bc9a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1085
start_va = 0x7ffd4bde0000
end_va = 0x7ffd4be28fff
monitored = 0
entry_point = 0x7ffd4bdea090
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1086
start_va = 0x7ffd4bf00000
end_va = 0x7ffd4bf0bfff
monitored = 0
entry_point = 0x7ffd4bf027e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1087
start_va = 0x7ffd4bfe0000
end_va = 0x7ffd4c010fff
monitored = 0
entry_point = 0x7ffd4bfe7d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1088
start_va = 0x7ffd4c040000
end_va = 0x7ffd4c0b9fff
monitored = 0
entry_point = 0x7ffd4c061a50
region_type = mapped_file
name = "schannel.dll"
filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll")
Region:
id = 1089
start_va = 0x7ffd4c100000
end_va = 0x7ffd4c133fff
monitored = 0
entry_point = 0x7ffd4c11ae70
region_type = mapped_file
name = "rsaenh.dll"
filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll")
Region:
id = 1090
start_va = 0x7ffd4c140000
end_va = 0x7ffd4c149fff
monitored = 0
entry_point = 0x7ffd4c141830
region_type = mapped_file
name = "dpapi.dll"
filename = "\\Windows\\System32\\dpapi.dll" (normalized: "c:\\windows\\system32\\dpapi.dll")
Region:
id = 1091
start_va = 0x7ffd4c250000
end_va = 0x7ffd4c26efff
monitored = 0
entry_point = 0x7ffd4c255d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1092
start_va = 0x7ffd4c3c0000
end_va = 0x7ffd4c41bfff
monitored = 0
entry_point = 0x7ffd4c3d6f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1093
start_va = 0x7ffd4c470000
end_va = 0x7ffd4c486fff
monitored = 0
entry_point = 0x7ffd4c4779d0
region_type = mapped_file
name = "cryptsp.dll"
filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll")
Region:
id = 1094
start_va = 0x7ffd4c590000
end_va = 0x7ffd4c59afff
monitored = 0
entry_point = 0x7ffd4c5919a0
region_type = mapped_file
name = "cryptbase.dll"
filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll")
Region:
id = 1095
start_va = 0x7ffd4c5d0000
end_va = 0x7ffd4c5f0fff
monitored = 0
entry_point = 0x7ffd4c5e0250
region_type = mapped_file
name = "joinutil.dll"
filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")
Region:
id = 1096
start_va = 0x7ffd4c620000
end_va = 0x7ffd4c659fff
monitored = 0
entry_point = 0x7ffd4c628d20
region_type = mapped_file
name = "ntasn1.dll"
filename = "\\Windows\\System32\\ntasn1.dll" (normalized: "c:\\windows\\system32\\ntasn1.dll")
Region:
id = 1097
start_va = 0x7ffd4c660000
end_va = 0x7ffd4c686fff
monitored = 0
entry_point = 0x7ffd4c670aa0
region_type = mapped_file
name = "ncrypt.dll"
filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll")
Region:
id = 1098
start_va = 0x7ffd4c770000
end_va = 0x7ffd4c79cfff
monitored = 0
entry_point = 0x7ffd4c789d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1099
start_va = 0x7ffd4c900000
end_va = 0x7ffd4c955fff
monitored = 0
entry_point = 0x7ffd4c910bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1100
start_va = 0x7ffd4c960000
end_va = 0x7ffd4c978fff
monitored = 0
entry_point = 0x7ffd4c965e10
region_type = mapped_file
name = "eventaggregation.dll"
filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")
Region:
id = 1101
start_va = 0x7ffd4c980000
end_va = 0x7ffd4c9a8fff
monitored = 0
entry_point = 0x7ffd4c994530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1102
start_va = 0x7ffd4c9b0000
end_va = 0x7ffd4ca48fff
monitored = 0
entry_point = 0x7ffd4c9df4e0
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1103
start_va = 0x7ffd4caf0000
end_va = 0x7ffd4cb03fff
monitored = 0
entry_point = 0x7ffd4caf52e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1104
start_va = 0x7ffd4cb10000
end_va = 0x7ffd4cb5afff
monitored = 0
entry_point = 0x7ffd4cb135f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1105
start_va = 0x7ffd4cb60000
end_va = 0x7ffd4cb6ffff
monitored = 0
entry_point = 0x7ffd4cb656e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1106
start_va = 0x7ffd4cb70000
end_va = 0x7ffd4cb7efff
monitored = 0
entry_point = 0x7ffd4cb73210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1107
start_va = 0x7ffd4cb80000
end_va = 0x7ffd4cbc2fff
monitored = 0
entry_point = 0x7ffd4cb94b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1108
start_va = 0x7ffd4cc80000
end_va = 0x7ffd4ccd4fff
monitored = 0
entry_point = 0x7ffd4cc97970
region_type = mapped_file
name = "wintrust.dll"
filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll")
Region:
id = 1109
start_va = 0x7ffd4cce0000
end_va = 0x7ffd4d323fff
monitored = 0
entry_point = 0x7ffd4cea64b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1110
start_va = 0x7ffd4d330000
end_va = 0x7ffd4d346fff
monitored = 0
entry_point = 0x7ffd4d331390
region_type = mapped_file
name = "netapi32.dll"
filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll")
Region:
id = 1111
start_va = 0x7ffd4d350000
end_va = 0x7ffd4d516fff
monitored = 0
entry_point = 0x7ffd4d3adb80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1112
start_va = 0x7ffd4d520000
end_va = 0x7ffd4d5a5fff
monitored = 0
entry_point = 0x7ffd4d52d8f0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 1113
start_va = 0x7ffd4d5b0000
end_va = 0x7ffd4d664fff
monitored = 0
entry_point = 0x7ffd4d5f22e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1114
start_va = 0x7ffd4d670000
end_va = 0x7ffd4d857fff
monitored = 0
entry_point = 0x7ffd4d69ba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1115
start_va = 0x7ffd4d860000
end_va = 0x7ffd4d8c9fff
monitored = 0
entry_point = 0x7ffd4d896d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1116
start_va = 0x7ffd4d8d0000
end_va = 0x7ffd4da55fff
monitored = 0
entry_point = 0x7ffd4d91ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1117
start_va = 0x7ffd4da60000
end_va = 0x7ffd4db7bfff
monitored = 0
entry_point = 0x7ffd4daa02b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1118
start_va = 0x7ffd4db80000
end_va = 0x7ffd4dc40fff
monitored = 0
entry_point = 0x7ffd4dba0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1119
start_va = 0x7ffd4dc70000
end_va = 0x7ffd4deecfff
monitored = 0
entry_point = 0x7ffd4dd44970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1120
start_va = 0x7ffd4def0000
end_va = 0x7ffd4def7fff
monitored = 0
entry_point = 0x7ffd4def1ea0
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1121
start_va = 0x7ffd4df00000
end_va = 0x7ffd4df9cfff
monitored = 0
entry_point = 0x7ffd4df078a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1122
start_va = 0x7ffd4e160000
end_va = 0x7ffd4e1bafff
monitored = 0
entry_point = 0x7ffd4e1738b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1123
start_va = 0x7ffd4e1c0000
end_va = 0x7ffd4e26cfff
monitored = 0
entry_point = 0x7ffd4e1d81a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1124
start_va = 0x7ffd4e270000
end_va = 0x7ffd4e2dafff
monitored = 0
entry_point = 0x7ffd4e2890c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1125
start_va = 0x7ffd4e480000
end_va = 0x7ffd4e526fff
monitored = 0
entry_point = 0x7ffd4e4958d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1126
start_va = 0x7ffd4e530000
end_va = 0x7ffd4e958fff
monitored = 0
entry_point = 0x7ffd4e558740
region_type = mapped_file
name = "setupapi.dll"
filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll")
Region:
id = 1127
start_va = 0x7ffd4e970000
end_va = 0x7ffd4e9cbfff
monitored = 0
entry_point = 0x7ffd4e98b720
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1128
start_va = 0x7ffd4e9d0000
end_va = 0x7ffd4eb25fff
monitored = 0
entry_point = 0x7ffd4e9da8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1129
start_va = 0x7ffd4eb30000
end_va = 0x7ffd5008efff
monitored = 0
entry_point = 0x7ffd4ec911f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1130
start_va = 0x7ffd500f0000
end_va = 0x7ffd50141fff
monitored = 0
entry_point = 0x7ffd500ff530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1131
start_va = 0x7ffd50150000
end_va = 0x7ffd501f6fff
monitored = 0
entry_point = 0x7ffd5015b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1132
start_va = 0x7ffd50380000
end_va = 0x7ffd504c2fff
monitored = 0
entry_point = 0x7ffd503a8210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1133
start_va = 0x7ffd504d0000
end_va = 0x7ffd50690fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Thread:
id = 24
os_tid = 0x784
Thread:
id = 25
os_tid = 0xd5c
Thread:
id = 26
os_tid = 0x370
Thread:
id = 27
os_tid = 0xb68
Thread:
id = 28
os_tid = 0xc50
Thread:
id = 29
os_tid = 0xe8
Thread:
id = 30
os_tid = 0x37c
Thread:
id = 31
os_tid = 0x374
Thread:
id = 32
os_tid = 0x614
Thread:
id = 33
os_tid = 0x608
Thread:
id = 34
os_tid = 0x43c
Thread:
id = 35
os_tid = 0x430
Thread:
id = 36
os_tid = 0x32c
Thread:
id = 37
os_tid = 0x9b0
Thread:
id = 38
os_tid = 0x73c
Thread:
id = 39
os_tid = 0x6f8
Thread:
id = 40
os_tid = 0xff8
Thread:
id = 41
os_tid = 0xc7c
Thread:
id = 42
os_tid = 0xc84
Thread:
id = 43
os_tid = 0xca0
Thread:
id = 44
os_tid = 0xc90
Thread:
id = 45
os_tid = 0xc94
Thread:
id = 46
os_tid = 0x9bc
Thread:
id = 47
os_tid = 0x5b0
Thread:
id = 48
os_tid = 0xab8
Thread:
id = 49
os_tid = 0xfc0
Thread:
id = 50
os_tid = 0xfa8
Thread:
id = 51
os_tid = 0xfa4
Thread:
id = 52
os_tid = 0xf9c
Thread:
id = 53
os_tid = 0xf64
Thread:
id = 54
os_tid = 0xf5c
Thread:
id = 55
os_tid = 0xf38
Thread:
id = 56
os_tid = 0xf24
Thread:
id = 57
os_tid = 0xf04
Thread:
id = 58
os_tid = 0xef0
Thread:
id = 59
os_tid = 0xec4
Thread:
id = 60
os_tid = 0xeb0
Thread:
id = 61
os_tid = 0xe3c
Thread:
id = 62
os_tid = 0xe1c
Thread:
id = 63
os_tid = 0xc28
Thread:
id = 64
os_tid = 0xa84
Thread:
id = 65
os_tid = 0xa80
Thread:
id = 66
os_tid = 0xa7c
Thread:
id = 67
os_tid = 0x9c8
Thread:
id = 68
os_tid = 0x9b8
Thread:
id = 69
os_tid = 0x94c
Thread:
id = 70
os_tid = 0x8e4
Thread:
id = 71
os_tid = 0x8e0
Thread:
id = 72
os_tid = 0x8d8
Thread:
id = 73
os_tid = 0x8c0
Thread:
id = 74
os_tid = 0x8a8
Thread:
id = 75
os_tid = 0x8a0
Thread:
id = 76
os_tid = 0x868
Thread:
id = 77
os_tid = 0x830
Thread:
id = 78
os_tid = 0x560
Thread:
id = 79
os_tid = 0x598
Thread:
id = 80
os_tid = 0x190
Thread:
id = 81
os_tid = 0x7cc
Thread:
id = 82
os_tid = 0x7ac
Thread:
id = 83
os_tid = 0x6e0
Thread:
id = 84
os_tid = 0x448
Thread:
id = 85
os_tid = 0x5b4
Thread:
id = 86
os_tid = 0x50c
Thread:
id = 87
os_tid = 0x4d4
Thread:
id = 88
os_tid = 0x484
Thread:
id = 89
os_tid = 0x464
Thread:
id = 90
os_tid = 0x414
Thread:
id = 91
os_tid = 0x2f4
Thread:
id = 92
os_tid = 0x284
Thread:
id = 93
os_tid = 0x264
Thread:
id = 94
os_tid = 0x210
Thread:
id = 95
os_tid = 0x144
Thread:
id = 96
os_tid = 0x140
Thread:
id = 97
os_tid = 0x120
Thread:
id = 98
os_tid = 0x11c
Thread:
id = 99
os_tid = 0x60
Thread:
id = 100
os_tid = 0x3fc
Thread:
id = 101
os_tid = 0x3f4
Thread:
id = 102
os_tid = 0x360
Process:
id = "7"
image_name = "35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe"
filename = "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe"
page_root = "0x6cae5000"
os_pid = "0xc38"
os_integrity_level = "0x3000"
os_privileges = "0x60800000"
monitor_reason = "child_process"
parent_id = "1"
os_parent_pid = "0xfd4"
cmd_line = "\"C:\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe\""
cur_dir = "C:\\Users\\RDhJ0CNFevzX\\Desktop\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f4cd" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1162
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1163
start_va = 0x30000
end_va = 0x31fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000030000"
filename = ""
Region:
id = 1164
start_va = 0x40000
end_va = 0x54fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000040000"
filename = ""
Region:
id = 1165
start_va = 0x60000
end_va = 0x9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000060000"
filename = ""
Region:
id = 1166
start_va = 0xa0000
end_va = 0x19ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000a0000"
filename = ""
Region:
id = 1167
start_va = 0x1a0000
end_va = 0x1a3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001a0000"
filename = ""
Region:
id = 1168
start_va = 0x1b0000
end_va = 0x1b0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001b0000"
filename = ""
Region:
id = 1169
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1170
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1171
start_va = 0x400000
end_va = 0x489fff
monitored = 1
entry_point = 0x484132
region_type = mapped_file
name = "35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe"
filename = "\\Users\\RDhJ0CNFevzX\\Desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe" (normalized: "c:\\users\\rdhj0cnfevzx\\desktop\\35147128936c2e79548e5c0a2bbd70cd5a29c1b01dfa1ac2515fa5becb7efa6d.exe")
Region:
id = 1172
start_va = 0x77b90000
end_va = 0x77d0afff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll")
Region:
id = 1173
start_va = 0x7ffb0000
end_va = 0x7ffd2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007ffb0000"
filename = ""
Region:
id = 1174
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1175
start_va = 0x7fff0000
end_va = 0x7ffd504cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007fff0000"
filename = ""
Region:
id = 1176
start_va = 0x7ffd504d0000
end_va = 0x7ffd50690fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1177
start_va = 0x7ffd50691000
end_va = 0x7ffffffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00007ffd50691000"
filename = ""
Region:
id = 1178
start_va = 0x400000
end_va = 0x42efff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1179
start_va = 0x510000
end_va = 0x51ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1180
start_va = 0x6edd0000
end_va = 0x6ee1ffff
monitored = 0
entry_point = 0x6ede8180
region_type = mapped_file
name = "wow64.dll"
filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll")
Region:
id = 1181
start_va = 0x6ee20000
end_va = 0x6ee99fff
monitored = 0
entry_point = 0x6ee33290
region_type = mapped_file
name = "wow64win.dll"
filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll")
Region:
id = 1182
start_va = 0x74f30000
end_va = 0x7500ffff
monitored = 0
entry_point = 0x74f43980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1183
start_va = 0x6eea0000
end_va = 0x6eea7fff
monitored = 0
entry_point = 0x6eea17c0
region_type = mapped_file
name = "wow64cpu.dll"
filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll")
Region:
id = 1184
start_va = 0x520000
end_va = 0x6effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000520000"
filename = ""
Region:
id = 1185
start_va = 0x74f30000
end_va = 0x7500ffff
monitored = 0
entry_point = 0x74f43980
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll")
Region:
id = 1186
start_va = 0x76ad0000
end_va = 0x76c4dfff
monitored = 0
entry_point = 0x76b81b90
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll")
Region:
id = 1187
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1188
start_va = 0x7feb0000
end_va = 0x7ffaffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x000000007feb0000"
filename = ""
Region:
id = 1189
start_va = 0x430000
end_va = 0x4edfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1192
start_va = 0x6f0000
end_va = 0x86bfff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006f0000"
filename = ""
Region:
id = 1193
start_va = 0x870000
end_va = 0x9f1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000870000"
filename = ""
Region:
id = 1194
start_va = 0xa00000
end_va = 0xcf9fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000a00000"
filename = ""
Region:
id = 1201
start_va = 0x20000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1202
start_va = 0x6f0000
end_va = 0x7effff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000006f0000"
filename = ""
Region:
id = 1203
start_va = 0x20000
end_va = 0x3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Thread:
id = 105
os_tid = 0x448
[0207.085] RtlGetProcessHeaps (in: HeapCount=0x2, HeapArray=0x19f23c | out: HeapArray=0x19f23c*=0x5f0000) returned 0x1
[0207.201] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x19f1ec, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1
[0207.204] NtCreateFile (in: FileHandle=0x19f20c, DesiredAccess=0x120089, ObjectAttributes=0x19f1d4*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19f1f4, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19f20c*=0x6c, IoStatusBlock=0x19f1f4*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0
[0207.214] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f2850) returned 1
[0207.219] NtQueryInformationFile (in: FileHandle=0x6c, IoStatusBlock=0x19f1f4, FileInformation=0x19f14c, Length=0x18, FileInformationClass=0x5 | out: IoStatusBlock=0x19f1f4, FileInformation=0x19f14c) returned 0x0
[0207.226] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1788a0) returned 0x6f2020
[0207.332] NtReadFile (in: FileHandle=0x6c, Event=0x0, UserApcRoutine=0x0, UserApcContext=0x0, IoStatusBlock=0x19f1f4, Buffer=0x6f2020, BufferLength=0x1784a0, ByteOffset=0x19f164*=0, Key=0x0 | out: IoStatusBlock=0x19f1f4, Buffer=0x6f2020*) returned 0x0
[0207.435] NtClose (Handle=0x6c) returned 0x0
[0207.435] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x17b001) returned 0x875020
[0207.533] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x6f2020) returned 1
[0207.676] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19f1e0*=0x0, ZeroBits=0x0, RegionSize=0x19f1e4*=0x2f9522, AllocationType=0x3000, Protect=0x40 | out: BaseAddress=0x19f1e0*=0xa00000, RegionSize=0x19f1e4*=0x2fa000) returned 0x0
[0207.815] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5f3468
[0207.815] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5f4470
[0207.817] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5f5478
[0207.817] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x2000) returned 0x5f6480
[0207.818] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f5478) returned 1
[0207.818] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3000) returned 0x5f8488
[0207.819] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f6480) returned 1
[0207.890] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4000) returned 0x5fb490
[0207.891] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f8488) returned 1
[0207.891] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5000) returned 0x5f5478
[0207.892] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fb490) returned 1
[0207.892] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5fa480
[0207.892] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x2000) returned 0x5fb488
[0207.892] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fa480) returned 1
[0207.892] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3000) returned 0x5fd490
[0207.893] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fb488) returned 1
[0207.893] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4000) returned 0x600498
[0207.894] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fd490) returned 1
[0207.894] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5000) returned 0x5fa480
[0207.895] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x600498) returned 1
[0207.895] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5ff488
[0207.895] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x2000) returned 0x600490
[0207.895] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5ff488) returned 1
[0207.895] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3000) returned 0x602498
[0207.895] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x600490) returned 1
[0207.895] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4000) returned 0x6054a0
[0207.896] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x602498) returned 1
[0207.897] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5000) returned 0x5ff488
[0207.897] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x6054a0) returned 1
[0207.898] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f3468) returned 1
[0207.898] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f4470) returned 1
[0207.898] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f5478) returned 1
[0207.899] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fa480) returned 1
[0207.899] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5ff488) returned 1
[0208.037] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5f3468
[0208.038] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5f4470
[0208.038] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5f5478
[0208.038] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x2000) returned 0x5f6480
[0208.038] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f5478) returned 1
[0208.039] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3000) returned 0x5f8488
[0208.040] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f6480) returned 1
[0208.040] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4000) returned 0x5fb490
[0208.041] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f8488) returned 1
[0208.042] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5000) returned 0x5f5478
[0208.043] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fb490) returned 1
[0208.043] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5fa480
[0208.044] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x2000) returned 0x5fb488
[0208.044] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fa480) returned 1
[0208.044] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3000) returned 0x5fd490
[0208.045] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fb488) returned 1
[0208.046] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4000) returned 0x600498
[0208.046] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fd490) returned 1
[0208.046] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5000) returned 0x5fa480
[0208.047] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x600498) returned 1
[0208.047] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x1000) returned 0x5ff488
[0208.047] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x2000) returned 0x600490
[0208.047] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5ff488) returned 1
[0208.048] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x3000) returned 0x602498
[0208.048] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x600490) returned 1
[0208.048] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x4000) returned 0x6054a0
[0208.049] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x602498) returned 1
[0208.049] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x5000) returned 0x5ff488
[0208.049] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x6054a0) returned 1
[0208.050] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f3468) returned 1
[0208.050] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f4470) returned 1
[0208.050] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f5478) returned 1
[0208.051] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5fa480) returned 1
[0208.051] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5ff488) returned 1
[0208.051] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Windows\\SYSTEM32\\ntdll.dll", NtPathName=0x19f18c, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1
[0208.052] NtCreateFile (in: FileHandle=0x19f1ac, DesiredAccess=0x120089, ObjectAttributes=0x19f174*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Windows\\SYSTEM32\\ntdll.dll", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x19f194, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x7, CreateDisposition=0x1, CreateOptions=0x60, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x19f1ac*=0x6c, IoStatusBlock=0x19f194*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0
[0208.052] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f2850) returned 1
[0208.052] NtQueryInformationFile (in: FileHandle=0x6c, IoStatusBlock=0x19f194, FileInformation=0x19ef08, Length=0x208, FileInformationClass=0x9 | out: IoStatusBlock=0x19f194, FileInformation=0x19ef08) returned 0x0
[0208.052] NtClose (Handle=0x6c) returned 0x0
[0208.052] RtlAllocateHeap (HeapHandle=0x5f0000, Flags=0x0, Size=0x208) returned 0x5f3468
[0208.052] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x5f3468) returned 1
[0208.059] NtQueryVirtualMemory (in: ProcessHandle=0xffffffff, Address=0x6eea11d0, VirtualMemoryInformationClass=0x0, VirtualMemoryInformation=0x19f1c8, Length=0x1c, ResultLength=0x0 | out: VirtualMemoryInformation=0x19f1c8*(BaseAddress=0x6eea1000, AllocationBase=0x6eea0000, AllocationProtect=0x80, RegionSize=0x2000, State=0x1000, Protect=0x20, Type=0x1000000), ResultLength=0x0) returned 0x0
[0209.106] NtQuerySystemInformation (in: SystemInformationClass=0x23, SystemInformation=0x19f220, Length=0x2, ResultLength=0x0 | out: SystemInformation=0x19f220, ResultLength=0x0) returned 0x0
[0209.132] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x19f244, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x19f244, ReturnLength=0x0) returned 0x0
[0209.206] RtlFreeHeap (HeapHandle=0x5f0000, Flags=0x0, BaseAddress=0x875020) returned 1
[0209.264] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19eed4*=0x0, ZeroBits=0x0, RegionSize=0x19eed8*=0x10000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19eed4*=0x20000, RegionSize=0x19eed8*=0x10000) returned 0x0
[0209.269] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x10000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0xc0000004
[0209.282] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19f234*=0x20000, RegionSize=0x19eef8, FreeType=0x8000) returned 0x0
[0209.282] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x19eec0*=0x0, ZeroBits=0x0, RegionSize=0x19eec4*=0x20000, AllocationType=0x1000, Protect=0x4 | out: BaseAddress=0x19eec0*=0x20000, RegionSize=0x19eec4*=0x20000) returned 0x0
[0209.282] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x20000, Length=0x20000, ResultLength=0x0 | out: SystemInformation=0x20000, ResultLength=0x0) returned 0x0
[0209.356] NtFreeVirtualMemory (ProcessHandle=0xffffffff, BaseAddress=0x19f234*=0x20000, RegionSize=0x19f238, FreeType=0x8000) returned 0x0
[0209.368] RtlQueryEnvironmentVariable_U (in: Environment=0x0, Name="USERNAME", Value=0x19eff0 | out: Value="RDhJ0CNFevzX") returned 0x0
Process:
id = "8"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x5edd3000"
os_pid = "0x3ec"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "created_scheduled_job"
parent_id = "3"
os_parent_pid = "0x218"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cf9f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 1342
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1343
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1344
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1345
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1346
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1347
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1348
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1349
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1350
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1351
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1352
start_va = 0x7ff7b2fa0000
end_va = 0x7ff7b2facfff
monitored = 0
entry_point = 0x7ff7b2fa3980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 1353
start_va = 0x7ff9f7ad0000
end_va = 0x7ff9f7c90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1470
start_va = 0x570000
end_va = 0x576fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000570000"
filename = ""
Region:
id = 1471
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1472
start_va = 0x7ff9f4aa0000
end_va = 0x7ff9f4c87fff
monitored = 0
entry_point = 0x7ff9f4acba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1473
start_va = 0x7ff9f5370000
end_va = 0x7ff9f541cfff
monitored = 0
entry_point = 0x7ff9f53881a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1474
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1475
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1476
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1477
start_va = 0x7ff9f6d30000
end_va = 0x7ff9f6d8afff
monitored = 0
entry_point = 0x7ff9f6d438b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1478
start_va = 0x7ff9f6980000
end_va = 0x7ff9f6a9bfff
monitored = 0
entry_point = 0x7ff9f69c02b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1479
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1480
start_va = 0x7ff9f3290000
end_va = 0x7ff9f3383fff
monitored = 0
entry_point = 0x7ff9f329a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1481
start_va = 0x7ff9f7780000
end_va = 0x7ff9f79fcfff
monitored = 0
entry_point = 0x7ff9f7854970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1482
start_va = 0x7ff9f6aa0000
end_va = 0x7ff9f6b3cfff
monitored = 0
entry_point = 0x7ff9f6aa78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1483
start_va = 0x7ff9f4d20000
end_va = 0x7ff9f4d89fff
monitored = 0
entry_point = 0x7ff9f4d56d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1484
start_va = 0x480000
end_va = 0x516fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 1485
start_va = 0x700000
end_va = 0x8fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000700000"
filename = ""
Region:
id = 1486
start_va = 0x700000
end_va = 0x7fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000700000"
filename = ""
Region:
id = 1487
start_va = 0x800000
end_va = 0x8dcfff
monitored = 0
entry_point = 0x85e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1488
start_va = 0x7ff9f4170000
end_va = 0x7ff9f417efff
monitored = 0
entry_point = 0x7ff9f4173210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1489
start_va = 0x7ff9f6d90000
end_va = 0x7ff9f6ee5fff
monitored = 0
entry_point = 0x7ff9f6d9a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1490
start_va = 0x7ff9f7540000
end_va = 0x7ff9f76c5fff
monitored = 0
entry_point = 0x7ff9f758ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1491
start_va = 0x800000
end_va = 0x987fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000800000"
filename = ""
Region:
id = 1492
start_va = 0x990000
end_va = 0xb10fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000990000"
filename = ""
Region:
id = 1493
start_va = 0xb20000
end_va = 0xbdffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b20000"
filename = ""
Region:
id = 1494
start_va = 0x20000
end_va = 0x21fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000020000"
filename = ""
Region:
id = 1495
start_va = 0x1c0000
end_va = 0x1c0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001c0000"
filename = ""
Region:
id = 1496
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1497
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 1498
start_va = 0xbe0000
end_va = 0xfdafff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000be0000"
filename = ""
Region:
id = 1499
start_va = 0xfe0000
end_va = 0x1116fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000fe0000"
filename = ""
Region:
id = 1500
start_va = 0x1120000
end_va = 0x131ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001120000"
filename = ""
Region:
id = 1501
start_va = 0x1200000
end_va = 0x12fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001200000"
filename = ""
Region:
id = 1502
start_va = 0xfe0000
end_va = 0x10dffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000fe0000"
filename = ""
Region:
id = 1503
start_va = 0x1110000
end_va = 0x1116fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001110000"
filename = ""
Region:
id = 1504
start_va = 0x7ff9ee5e0000
end_va = 0x7ff9ee72cfff
monitored = 0
entry_point = 0x7ff9ee623da0
region_type = mapped_file
name = "gpsvc.dll"
filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll")
Region:
id = 1505
start_va = 0x7ff9f2da0000
end_va = 0x7ff9f2dabfff
monitored = 0
entry_point = 0x7ff9f2da2480
region_type = mapped_file
name = "sysntfy.dll"
filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll")
Region:
id = 1506
start_va = 0x7ff9ee5c0000
end_va = 0x7ff9ee5d7fff
monitored = 0
entry_point = 0x7ff9ee5c5910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1507
start_va = 0x7ff9ee5b0000
end_va = 0x7ff9ee5b9fff
monitored = 0
entry_point = 0x7ff9ee5b1660
region_type = mapped_file
name = "dsrole.dll"
filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll")
Region:
id = 1508
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 1509
start_va = 0x7ff9f70d0000
end_va = 0x7ff9f7190fff
monitored = 0
entry_point = 0x7ff9f70f0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1510
start_va = 0x1400000
end_va = 0x1542fff
monitored = 0
entry_point = 0x1428210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1511
start_va = 0x7ff9ee5a0000
end_va = 0x7ff9ee5aafff
monitored = 0
entry_point = 0x7ff9ee5a1770
region_type = mapped_file
name = "lfsvc.dll"
filename = "\\Windows\\System32\\lfsvc.dll" (normalized: "c:\\windows\\system32\\lfsvc.dll")
Region:
id = 1512
start_va = 0x7ff9f09b0000
end_va = 0x7ff9f0a41fff
monitored = 0
entry_point = 0x7ff9f09fa780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1513
start_va = 0x7ff9ee420000
end_va = 0x7ff9ee59bfff
monitored = 0
entry_point = 0x7ff9ee471650
region_type = mapped_file
name = "locationframework.dll"
filename = "\\Windows\\System32\\LocationFramework.dll" (normalized: "c:\\windows\\system32\\locationframework.dll")
Region:
id = 1514
start_va = 0x7ff9f40f0000
end_va = 0x7ff9f413afff
monitored = 0
entry_point = 0x7ff9f40f35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1515
start_va = 0x7ff9f76d0000
end_va = 0x7ff9f7776fff
monitored = 0
entry_point = 0x7ff9f76e58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1516
start_va = 0x7ff9f48d0000
end_va = 0x7ff9f4a96fff
monitored = 0
entry_point = 0x7ff9f492db80
region_type = mapped_file
name = "crypt32.dll"
filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll")
Region:
id = 1517
start_va = 0x7ff9f4140000
end_va = 0x7ff9f414ffff
monitored = 0
entry_point = 0x7ff9f41456e0
region_type = mapped_file
name = "msasn1.dll"
filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll")
Region:
id = 1518
start_va = 0x7ff9f6f00000
end_va = 0x7ff9f6f6afff
monitored = 0
entry_point = 0x7ff9f6f190c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1519
start_va = 0x1400000
end_va = 0x1506fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001400000"
filename = ""
Region:
id = 1520
start_va = 0x7ff9f1d60000
end_va = 0x7ff9f1d9ffff
monitored = 0
entry_point = 0x7ff9f1d71960
region_type = mapped_file
name = "brokerlib.dll"
filename = "\\Windows\\System32\\BrokerLib.dll" (normalized: "c:\\windows\\system32\\brokerlib.dll")
Region:
id = 1521
start_va = 0x1510000
end_va = 0x170ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001510000"
filename = ""
Region:
id = 1522
start_va = 0x1600000
end_va = 0x16fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001600000"
filename = ""
Region:
id = 1523
start_va = 0x7ff9ee3b0000
end_va = 0x7ff9ee410fff
monitored = 0
entry_point = 0x7ff9ee3b4b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1524
start_va = 0x7ff9ee2e0000
end_va = 0x7ff9ee3a7fff
monitored = 0
entry_point = 0x7ff9ee3213f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1525
start_va = 0x480000
end_va = 0x4fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 1526
start_va = 0x510000
end_va = 0x516fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000510000"
filename = ""
Region:
id = 1527
start_va = 0x7ff9f0b70000
end_va = 0x7ff9f0ba5fff
monitored = 0
entry_point = 0x7ff9f0b80070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1528
start_va = 0x1400000
end_va = 0x14fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001400000"
filename = ""
Region:
id = 1529
start_va = 0x1500000
end_va = 0x1506fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001500000"
filename = ""
Region:
id = 1530
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 1531
start_va = 0x1700000
end_va = 0x17fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001700000"
filename = ""
Region:
id = 1532
start_va = 0x1800000
end_va = 0x18fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001800000"
filename = ""
Region:
id = 1533
start_va = 0x7ff9f7a20000
end_va = 0x7ff9f7ac6fff
monitored = 0
entry_point = 0x7ff9f7a2b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1534
start_va = 0x500000
end_va = 0x500fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000500000"
filename = ""
Region:
id = 1535
start_va = 0x1900000
end_va = 0x1c36fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1536
start_va = 0x1c40000
end_va = 0x1d3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001c40000"
filename = ""
Region:
id = 1537
start_va = 0x7ff9ee2c0000
end_va = 0x7ff9ee2dffff
monitored = 0
entry_point = 0x7ff9ee2c39a0
region_type = mapped_file
name = "locationwinpalmisc.dll"
filename = "\\Windows\\System32\\LocationWinPalMisc.dll" (normalized: "c:\\windows\\system32\\locationwinpalmisc.dll")
Region:
id = 1538
start_va = 0x7ff9f5420000
end_va = 0x7ff9f697efff
monitored = 0
entry_point = 0x7ff9f55811f0
region_type = mapped_file
name = "shell32.dll"
filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll")
Region:
id = 1539
start_va = 0x7ff9f4230000
end_va = 0x7ff9f4272fff
monitored = 0
entry_point = 0x7ff9f4244b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1540
start_va = 0x7ff9f4280000
end_va = 0x7ff9f48c3fff
monitored = 0
entry_point = 0x7ff9f44464b0
region_type = mapped_file
name = "windows.storage.dll"
filename = "\\Windows\\System32\\windows.storage.dll" (normalized: "c:\\windows\\system32\\windows.storage.dll")
Region:
id = 1541
start_va = 0x7ff9f7370000
end_va = 0x7ff9f73c1fff
monitored = 0
entry_point = 0x7ff9f737f530
region_type = mapped_file
name = "shlwapi.dll"
filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll")
Region:
id = 1542
start_va = 0x7ff9f4e10000
end_va = 0x7ff9f4ec4fff
monitored = 0
entry_point = 0x7ff9f4e522e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1543
start_va = 0x7ff9f4150000
end_va = 0x7ff9f4163fff
monitored = 0
entry_point = 0x7ff9f41552e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1544
start_va = 0x7ff9f38b0000
end_va = 0x7ff9f38cefff
monitored = 0
entry_point = 0x7ff9f38b5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1545
start_va = 0x7ff9f2d70000
end_va = 0x7ff9f2d96fff
monitored = 0
entry_point = 0x7ff9f2d77940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1546
start_va = 0x7ff9ee2b0000
end_va = 0x7ff9ee2bbfff
monitored = 0
entry_point = 0x7ff9ee2b14d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1547
start_va = 0x7ff9ee1f0000
end_va = 0x7ff9ee2aefff
monitored = 0
entry_point = 0x7ff9ee211c50
region_type = mapped_file
name = "taskschd.dll"
filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll")
Region:
id = 1548
start_va = 0x520000
end_va = 0x520fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000520000"
filename = ""
Region:
id = 1549
start_va = 0x1d40000
end_va = 0x1e3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d40000"
filename = ""
Region:
id = 1550
start_va = 0x7ff9ee1b0000
end_va = 0x7ff9ee1e6fff
monitored = 0
entry_point = 0x7ff9ee1b6020
region_type = mapped_file
name = "gnssadapter.dll"
filename = "\\Windows\\System32\\GnssAdapter.dll" (normalized: "c:\\windows\\system32\\gnssadapter.dll")
Region:
id = 1551
start_va = 0x7ff9ee150000
end_va = 0x7ff9ee1a4fff
monitored = 0
entry_point = 0x7ff9ee153fb0
region_type = mapped_file
name = "policymanager.dll"
filename = "\\Windows\\System32\\policymanager.dll" (normalized: "c:\\windows\\system32\\policymanager.dll")
Region:
id = 1552
start_va = 0x7ff9ee050000
end_va = 0x7ff9ee14bfff
monitored = 0
entry_point = 0x7ff9ee086df0
region_type = mapped_file
name = "schedsvc.dll"
filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll")
Region:
id = 1553
start_va = 0x1e40000
end_va = 0x1f3ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e40000"
filename = ""
Region:
id = 1554
start_va = 0x7ff9ee000000
end_va = 0x7ff9ee040fff
monitored = 0
entry_point = 0x7ff9ee017eb0
region_type = mapped_file
name = "ubpm.dll"
filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll")
Region:
id = 1555
start_va = 0x7ff9f3f60000
end_va = 0x7ff9f3f78fff
monitored = 0
entry_point = 0x7ff9f3f65e10
region_type = mapped_file
name = "eventaggregation.dll"
filename = "\\Windows\\System32\\EventAggregation.dll" (normalized: "c:\\windows\\system32\\eventaggregation.dll")
Region:
id = 1556
start_va = 0xfe0000
end_va = 0x10d6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000fe0000"
filename = ""
Region:
id = 1557
start_va = 0x1f40000
end_va = 0x213ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f40000"
filename = ""
Region:
id = 1558
start_va = 0x2000000
end_va = 0x20fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002000000"
filename = ""
Region:
id = 1559
start_va = 0x2100000
end_va = 0x21fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002100000"
filename = ""
Region:
id = 1560
start_va = 0x7ff9f33f0000
end_va = 0x7ff9f3438fff
monitored = 0
entry_point = 0x7ff9f33fa090
region_type = mapped_file
name = "authz.dll"
filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll")
Region:
id = 1561
start_va = 0x7ff9edfe0000
end_va = 0x7ff9edff0fff
monitored = 0
entry_point = 0x7ff9edfe3320
region_type = mapped_file
name = "wmiclnt.dll"
filename = "\\Windows\\System32\\wmiclnt.dll" (normalized: "c:\\windows\\system32\\wmiclnt.dll")
Region:
id = 1562
start_va = 0x7ff9f3dd0000
end_va = 0x7ff9f3dfcfff
monitored = 0
entry_point = 0x7ff9f3de9d40
region_type = mapped_file
name = "sspicli.dll"
filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll")
Region:
id = 1563
start_va = 0x530000
end_va = 0x530fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000530000"
filename = ""
Region:
id = 1564
start_va = 0x7ff9edfc0000
end_va = 0x7ff9edfd9fff
monitored = 0
entry_point = 0x7ff9edfc2cf0
region_type = mapped_file
name = "locationpelegacywinlocation.dll"
filename = "\\Windows\\System32\\LocationPeLegacyWinLocation.dll" (normalized: "c:\\windows\\system32\\locationpelegacywinlocation.dll")
Region:
id = 1565
start_va = 0x7ff9f6f70000
end_va = 0x7ff9f70b2fff
monitored = 0
entry_point = 0x7ff9f6f98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1566
start_va = 0x7ff9f3f80000
end_va = 0x7ff9f3fa8fff
monitored = 0
entry_point = 0x7ff9f3f94530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1567
start_va = 0x580000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000580000"
filename = ""
Region:
id = 1568
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 1569
start_va = 0x7ff9edf50000
end_va = 0x7ff9edfbdfff
monitored = 0
entry_point = 0x7ff9edf57f60
region_type = mapped_file
name = "taskcomp.dll"
filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll")
Region:
id = 1571
start_va = 0x7ff9edef0000
end_va = 0x7ff9edf31fff
monitored = 0
entry_point = 0x7ff9edef27d0
region_type = mapped_file
name = "mstask.dll"
filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll")
Region:
id = 1572
start_va = 0x530000
end_va = 0x531fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000530000"
filename = ""
Region:
id = 1573
start_va = 0x7ff9edec0000
end_va = 0x7ff9edee4fff
monitored = 0
entry_point = 0x7ff9eded2f20
region_type = mapped_file
name = "wificonnapi.dll"
filename = "\\Windows\\System32\\wificonnapi.dll" (normalized: "c:\\windows\\system32\\wificonnapi.dll")
Region:
id = 1574
start_va = 0x7ff9edea0000
end_va = 0x7ff9edeb0fff
monitored = 0
entry_point = 0x7ff9edea7ea0
region_type = mapped_file
name = "dcpapi.dll"
filename = "\\Windows\\System32\\dcpapi.dll" (normalized: "c:\\windows\\system32\\dcpapi.dll")
Region:
id = 1575
start_va = 0x7ff9ede60000
end_va = 0x7ff9ede98fff
monitored = 0
entry_point = 0x7ff9ede69c90
region_type = mapped_file
name = "aepic.dll"
filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll")
Region:
id = 1576
start_va = 0x7ff9edc80000
end_va = 0x7ff9edc90fff
monitored = 0
entry_point = 0x7ff9edc83e10
region_type = mapped_file
name = "sfc_os.dll"
filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll")
Region:
id = 1577
start_va = 0x7ff9eef50000
end_va = 0x7ff9ef2d1fff
monitored = 0
entry_point = 0x7ff9eefa1220
region_type = mapped_file
name = "iertutil.dll"
filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll")
Region:
id = 1578
start_va = 0x2200000
end_va = 0x22fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002200000"
filename = ""
Region:
id = 1579
start_va = 0x7ff9edb70000
end_va = 0x7ff9edc20fff
monitored = 0
entry_point = 0x7ff9edbe88b0
region_type = mapped_file
name = "cellularapi.dll"
filename = "\\Windows\\System32\\CellularAPI.dll" (normalized: "c:\\windows\\system32\\cellularapi.dll")
Region:
id = 1580
start_va = 0x7ff9ede80000
end_va = 0x7ff9ede91fff
monitored = 0
entry_point = 0x7ff9ede89260
region_type = mapped_file
name = "rilproxy.dll"
filename = "\\Windows\\System32\\rilproxy.dll" (normalized: "c:\\windows\\system32\\rilproxy.dll")
Region:
id = 1581
start_va = 0x7ff9f3640000
end_va = 0x7ff9f3670fff
monitored = 0
entry_point = 0x7ff9f3647d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1582
start_va = 0x2300000
end_va = 0x23fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002300000"
filename = ""
Region:
id = 1583
start_va = 0x7ff9eda90000
end_va = 0x7ff9edae4fff
monitored = 0
entry_point = 0x7ff9eda9fc00
region_type = mapped_file
name = "profsvc.dll"
filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll")
Region:
id = 1584
start_va = 0xfe0000
end_va = 0x105ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000fe0000"
filename = ""
Region:
id = 1585
start_va = 0x10d0000
end_va = 0x10d6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000010d0000"
filename = ""
Region:
id = 1586
start_va = 0x7ff9ed9e0000
end_va = 0x7ff9eda8dfff
monitored = 0
entry_point = 0x7ff9ed9f80c0
region_type = mapped_file
name = "windows.networking.connectivity.dll"
filename = "\\Windows\\System32\\Windows.Networking.Connectivity.dll" (normalized: "c:\\windows\\system32\\windows.networking.connectivity.dll")
Region:
id = 1587
start_va = 0x1120000
end_va = 0x119ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001120000"
filename = ""
Region:
id = 1588
start_va = 0x7ff9ed9b0000
end_va = 0x7ff9ed9defff
monitored = 0
entry_point = 0x7ff9ed9b8910
region_type = mapped_file
name = "wptaskscheduler.dll"
filename = "\\Windows\\System32\\WPTaskScheduler.dll" (normalized: "c:\\windows\\system32\\wptaskscheduler.dll")
Region:
id = 1589
start_va = 0x7ff9ede70000
end_va = 0x7ff9ede7cfff
monitored = 0
entry_point = 0x7ff9ede72ca0
region_type = mapped_file
name = "csystemeventsbrokerclient.dll"
filename = "\\Windows\\System32\\CSystemEventsBrokerClient.dll" (normalized: "c:\\windows\\system32\\csystemeventsbrokerclient.dll")
Region:
id = 1590
start_va = 0x2400000
end_va = 0x24fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002400000"
filename = ""
Region:
id = 1591
start_va = 0x7ff9ed990000
end_va = 0x7ff9ed9a5fff
monitored = 0
entry_point = 0x7ff9ed991b60
region_type = mapped_file
name = "wkscli.dll"
filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll")
Region:
id = 1592
start_va = 0x1510000
end_va = 0x158ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001510000"
filename = ""
Region:
id = 1593
start_va = 0x7ff9ed970000
end_va = 0x7ff9ed982fff
monitored = 0
entry_point = 0x7ff9ed9757f0
region_type = mapped_file
name = "themeservice.dll"
filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll")
Region:
id = 1594
start_va = 0x7ff9ed940000
end_va = 0x7ff9ed96dfff
monitored = 0
entry_point = 0x7ff9ed947550
region_type = mapped_file
name = "netjoin.dll"
filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll")
Region:
id = 1595
start_va = 0x7ff9f3c30000
end_va = 0x7ff9f3c50fff
monitored = 0
entry_point = 0x7ff9f3c40250
region_type = mapped_file
name = "joinutil.dll"
filename = "\\Windows\\System32\\joinutil.dll" (normalized: "c:\\windows\\system32\\joinutil.dll")
Region:
id = 1596
start_va = 0x7ff9f3390000
end_va = 0x7ff9f33e5fff
monitored = 0
entry_point = 0x7ff9f33a0bf0
region_type = mapped_file
name = "winsta.dll"
filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll")
Region:
id = 1597
start_va = 0x7ff9f3560000
end_va = 0x7ff9f356bfff
monitored = 0
entry_point = 0x7ff9f35627e0
region_type = mapped_file
name = "netutils.dll"
filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll")
Region:
id = 1598
start_va = 0x7ff9ed910000
end_va = 0x7ff9ed936fff
monitored = 0
entry_point = 0x7ff9ed913bf0
region_type = mapped_file
name = "profsvcext.dll"
filename = "\\Windows\\System32\\profsvcext.dll" (normalized: "c:\\windows\\system32\\profsvcext.dll")
Region:
id = 1599
start_va = 0x7ff9f73d0000
end_va = 0x7ff9f742bfff
monitored = 0
entry_point = 0x7ff9f73eb720
region_type = mapped_file
name = "wldap32.dll"
filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll")
Region:
id = 1600
start_va = 0x2500000
end_va = 0x25fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002500000"
filename = ""
Region:
id = 1601
start_va = 0x7ff9ed8d0000
end_va = 0x7ff9ed90dfff
monitored = 0
entry_point = 0x7ff9ed8da050
region_type = mapped_file
name = "logoncli.dll"
filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll")
Region:
id = 1602
start_va = 0x7ff9ed8b0000
end_va = 0x7ff9ed8c6fff
monitored = 0
entry_point = 0x7ff9ed8b5630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1603
start_va = 0x540000
end_va = 0x540fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 1604
start_va = 0x7ff9f3a20000
end_va = 0x7ff9f3a7bfff
monitored = 0
entry_point = 0x7ff9f3a36f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1605
start_va = 0x7ff9f30f0000
end_va = 0x7ff9f3113fff
monitored = 0
entry_point = 0x7ff9f30f3260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1606
start_va = 0x2600000
end_va = 0x26fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002600000"
filename = ""
Region:
id = 1607
start_va = 0x7ff9ed7c0000
end_va = 0x7ff9ed8a5fff
monitored = 0
entry_point = 0x7ff9ed7dcf10
region_type = mapped_file
name = "usermgr.dll"
filename = "\\Windows\\System32\\usermgr.dll" (normalized: "c:\\windows\\system32\\usermgr.dll")
Region:
id = 1608
start_va = 0x7ff9ef2e0000
end_va = 0x7ff9ef415fff
monitored = 0
entry_point = 0x7ff9ef30f350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 1609
start_va = 0x550000
end_va = 0x550fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000550000"
filename = ""
Region:
id = 1610
start_va = 0x7ff9f28e0000
end_va = 0x7ff9f28f2fff
monitored = 0
entry_point = 0x7ff9f28e2760
region_type = mapped_file
name = "wtsapi32.dll"
filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll")
Region:
id = 1611
start_va = 0x7ff9ed630000
end_va = 0x7ff9ed63bfff
monitored = 0
entry_point = 0x7ff9ed632830
region_type = mapped_file
name = "bi.dll"
filename = "\\Windows\\System32\\bi.dll" (normalized: "c:\\windows\\system32\\bi.dll")
Region:
id = 1612
start_va = 0x7ff9f1400000
end_va = 0x7ff9f1407fff
monitored = 0
entry_point = 0x7ff9f14013e0
region_type = mapped_file
name = "dabapi.dll"
filename = "\\Windows\\System32\\dabapi.dll" (normalized: "c:\\windows\\system32\\dabapi.dll")
Region:
id = 1615
start_va = 0x2700000
end_va = 0x27fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002700000"
filename = ""
Region:
id = 1616
start_va = 0x560000
end_va = 0x560fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 1617
start_va = 0x560000
end_va = 0x560fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000560000"
filename = ""
Region:
id = 1618
start_va = 0x7ff9ed360000
end_va = 0x7ff9ed3a0fff
monitored = 0
entry_point = 0x7ff9ed364840
region_type = mapped_file
name = "usermgrproxy.dll"
filename = "\\Windows\\System32\\UserMgrProxy.dll" (normalized: "c:\\windows\\system32\\usermgrproxy.dll")
Region:
id = 1619
start_va = 0x7ff9f2880000
end_va = 0x7ff9f289bfff
monitored = 0
entry_point = 0x7ff9f28837a0
region_type = mapped_file
name = "samlib.dll"
filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll")
Region:
id = 1620
start_va = 0x2800000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 1621
start_va = 0x2800000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 1622
start_va = 0x1f40000
end_va = 0x1fbffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f40000"
filename = ""
Region:
id = 1623
start_va = 0x7ff9edc30000
end_va = 0x7ff9edc93fff
monitored = 0
entry_point = 0x7ff9edc45ae0
region_type = mapped_file
name = "wevtapi.dll"
filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll")
Region:
id = 1624
start_va = 0x2100000
end_va = 0x21fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002100000"
filename = ""
Region:
id = 1625
start_va = 0x7ff9ecf80000
end_va = 0x7ff9ed019fff
monitored = 0
entry_point = 0x7ff9ecf9ada0
region_type = mapped_file
name = "shsvcs.dll"
filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll")
Region:
id = 1626
start_va = 0x7ff9f26f0000
end_va = 0x7ff9f2875fff
monitored = 0
entry_point = 0x7ff9f273d700
region_type = mapped_file
name = "propsys.dll"
filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll")
Region:
id = 1627
start_va = 0x560000
end_va = 0x563fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1628
start_va = 0x1060000
end_va = 0x10a4fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000005.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000005.db")
Region:
id = 1629
start_va = 0x10b0000
end_va = 0x10b3fff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "cversions.2.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db")
Region:
id = 1630
start_va = 0x2500000
end_va = 0x258dfff
monitored = 1
entry_point = 0x0
region_type = mapped_file
name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db"
filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000001.db")
Region:
id = 1631
start_va = 0x2900000
end_va = 0x2afffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 1632
start_va = 0x2900000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 1633
start_va = 0x7ff9ecf70000
end_va = 0x7ff9ecf7dfff
monitored = 0
entry_point = 0x7ff9ecf71460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1737
start_va = 0x2a00000
end_va = 0x2a7ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002a00000"
filename = ""
Region:
id = 1759
start_va = 0x7ff9ec6d0000
end_va = 0x7ff9ec78ffff
monitored = 0
entry_point = 0x7ff9ec6ffd20
region_type = mapped_file
name = "fveapi.dll"
filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll")
Region:
id = 1760
start_va = 0x10c0000
end_va = 0x10c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000010c0000"
filename = ""
Region:
id = 1761
start_va = 0x10c0000
end_va = 0x10c0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000010c0000"
filename = ""
Region:
id = 1773
start_va = 0x7ff9ec670000
end_va = 0x7ff9ec6c1fff
monitored = 0
entry_point = 0x7ff9ec6738e0
region_type = mapped_file
name = "proximityservice.dll"
filename = "\\Windows\\System32\\ProximityService.dll" (normalized: "c:\\windows\\system32\\proximityservice.dll")
Region:
id = 1774
start_va = 0x7ff9ec640000
end_va = 0x7ff9ec66cfff
monitored = 0
entry_point = 0x7ff9ec642290
region_type = mapped_file
name = "proximitycommon.dll"
filename = "\\Windows\\System32\\ProximityCommon.dll" (normalized: "c:\\windows\\system32\\proximitycommon.dll")
Region:
id = 1775
start_va = 0x7ff9f0ae0000
end_va = 0x7ff9f0ae8fff
monitored = 0
entry_point = 0x7ff9f0ae1ed0
region_type = mapped_file
name = "proximitycommonpal.dll"
filename = "\\Windows\\System32\\ProximityCommonPal.dll" (normalized: "c:\\windows\\system32\\proximitycommonpal.dll")
Region:
id = 1776
start_va = 0x7ff9ed500000
end_va = 0x7ff9ed537fff
monitored = 0
entry_point = 0x7ff9ed518cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1777
start_va = 0x7ff9f0ad0000
end_va = 0x7ff9f0adffff
monitored = 0
entry_point = 0x7ff9f0ad1700
region_type = mapped_file
name = "proximityservicepal.dll"
filename = "\\Windows\\System32\\ProximityServicePal.dll" (normalized: "c:\\windows\\system32\\proximityservicepal.dll")
Region:
id = 1778
start_va = 0x7ff9f4c90000
end_va = 0x7ff9f4d15fff
monitored = 0
entry_point = 0x7ff9f4c9d8f0
region_type = mapped_file
name = "firewallapi.dll"
filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll")
Region:
id = 1779
start_va = 0x7ff9f2e70000
end_va = 0x7ff9f2ea1fff
monitored = 0
entry_point = 0x7ff9f2e82340
region_type = mapped_file
name = "fwbase.dll"
filename = "\\Windows\\System32\\fwbase.dll" (normalized: "c:\\windows\\system32\\fwbase.dll")
Region:
id = 1783
start_va = 0x7ff9edf40000
end_va = 0x7ff9edf4ffff
monitored = 0
entry_point = 0x7ff9edf42c60
region_type = mapped_file
name = "usermgrcli.dll"
filename = "\\Windows\\System32\\usermgrcli.dll" (normalized: "c:\\windows\\system32\\usermgrcli.dll")
Region:
id = 1784
start_va = 0x7ff9f30e0000
end_va = 0x7ff9f30ebfff
monitored = 0
entry_point = 0x7ff9f30e2790
region_type = mapped_file
name = "hid.dll"
filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll")
Region:
id = 1785
start_va = 0x7ff9f28a0000
end_va = 0x7ff9f28d1fff
monitored = 0
entry_point = 0x7ff9f28ab0c0
region_type = mapped_file
name = "shacct.dll"
filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll")
Region:
id = 1786
start_va = 0x7ff9ec330000
end_va = 0x7ff9ec3cafff
monitored = 0
entry_point = 0x7ff9ec337220
region_type = mapped_file
name = "settingsync.dll"
filename = "\\Windows\\System32\\SettingSync.dll" (normalized: "c:\\windows\\system32\\settingsync.dll")
Region:
id = 1788
start_va = 0x10c0000
end_va = 0x10c1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000010c0000"
filename = ""
Region:
id = 1789
start_va = 0x2a80000
end_va = 0x2b5ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 1802
start_va = 0x7ff9ec140000
end_va = 0x7ff9ec150fff
monitored = 0
entry_point = 0x7ff9ec1428d0
region_type = mapped_file
name = "credentialmigrationhandler.dll"
filename = "\\Windows\\System32\\CredentialMigrationHandler.dll" (normalized: "c:\\windows\\system32\\credentialmigrationhandler.dll")
Region:
id = 1803
start_va = 0x2b60000
end_va = 0x2c5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002b60000"
filename = ""
Region:
id = 1804
start_va = 0x2c60000
end_va = 0x2cdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002c60000"
filename = ""
Region:
id = 1805
start_va = 0x7ff9edaf0000
end_va = 0x7ff9edb69fff
monitored = 0
entry_point = 0x7ff9edb17630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1806
start_va = 0x10e0000
end_va = 0x10e0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000010e0000"
filename = ""
Region:
id = 1807
start_va = 0x7ff9f3fb0000
end_va = 0x7ff9f4048fff
monitored = 0
entry_point = 0x7ff9f3fdf4e0
region_type = mapped_file
name = "sxs.dll"
filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll")
Region:
id = 1808
start_va = 0x10e0000
end_va = 0x10e1fff
monitored = 0
entry_point = 0x10e5630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1809
start_va = 0x10f0000
end_va = 0x10f4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 1810
start_va = 0x2ce0000
end_va = 0x2ddffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002ce0000"
filename = ""
Region:
id = 1880
start_va = 0x2de0000
end_va = 0x2edffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002de0000"
filename = ""
Region:
id = 1883
start_va = 0x10e0000
end_va = 0x10e1fff
monitored = 0
entry_point = 0x10e5630
region_type = mapped_file
name = "sens.dll"
filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll")
Region:
id = 1884
start_va = 0x10f0000
end_va = 0x10f4fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "stdole2.tlb"
filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb")
Region:
id = 1891
start_va = 0x1100000
end_va = 0x1100fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000001100000"
filename = ""
Thread:
id = 107
os_tid = 0x3f0
Thread:
id = 108
os_tid = 0x3f4
Thread:
id = 109
os_tid = 0x154
Thread:
id = 110
os_tid = 0x150
Thread:
id = 111
os_tid = 0x8
Thread:
id = 112
os_tid = 0x168
Thread:
id = 113
os_tid = 0x188
Thread:
id = 114
os_tid = 0x18c
Thread:
id = 115
os_tid = 0x190
Thread:
id = 116
os_tid = 0x194
Thread:
id = 117
os_tid = 0x17c
Thread:
id = 118
os_tid = 0x174
Thread:
id = 119
os_tid = 0x170
Thread:
id = 120
os_tid = 0x1d0
Thread:
id = 121
os_tid = 0x2b0
Thread:
id = 122
os_tid = 0x324
Thread:
id = 123
os_tid = 0x2cc
Thread:
id = 124
os_tid = 0x398
Thread:
id = 125
os_tid = 0x3c8
Thread:
id = 126
os_tid = 0x3d8
Thread:
id = 127
os_tid = 0x150
Thread:
id = 128
os_tid = 0x414
Thread:
id = 129
os_tid = 0x480
Thread:
id = 130
os_tid = 0x4f0
Thread:
id = 131
os_tid = 0x4a0
Thread:
id = 147
os_tid = 0x54c
Thread:
id = 153
os_tid = 0x610
Thread:
id = 154
os_tid = 0x618
Thread:
id = 161
os_tid = 0x638
Thread:
id = 162
os_tid = 0x614
Process:
id = "9"
image_name = "svchost.exe"
filename = "c:\\windows\\system32\\svchost.exe"
page_root = "0x5f2bb000"
os_pid = "0x3b8"
os_integrity_level = "0x4000"
os_privileges = "0x60800000"
monitor_reason = "rpc_server"
parent_id = "8"
os_parent_pid = "0x218"
cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\Local Service"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AJRouter" [0xa], "NT SERVICE\\bthserv" [0xa], "NT SERVICE\\CDPSvc" [0xa], "NT SERVICE\\EventSystem" [0xa], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\FontCache" [0xa], "NT SERVICE\\LicenseManager" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\PhoneSvc" [0xa], "NT SERVICE\\RemoteRegistry" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\tzautoupdate" [0xe], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT SERVICE\\workfolderssvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cbcf" [0xc000000f], "LOCAL" [0x7]
Region:
id = 1634
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1635
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1636
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1637
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1638
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1639
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1640
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1641
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1642
start_va = 0x1c0000
end_va = 0x1c1fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001c0000"
filename = ""
Region:
id = 1643
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001d0000"
filename = ""
Region:
id = 1644
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 1645
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001f0000"
filename = ""
Region:
id = 1646
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1647
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1648
start_va = 0x480000
end_va = 0x53ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000480000"
filename = ""
Region:
id = 1649
start_va = 0x540000
end_va = 0x540fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000540000"
filename = ""
Region:
id = 1650
start_va = 0x550000
end_va = 0x550fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000550000"
filename = ""
Region:
id = 1651
start_va = 0x560000
end_va = 0x560fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000560000"
filename = ""
Region:
id = 1652
start_va = 0x570000
end_va = 0x571fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "netprofmsvc.dll.mui"
filename = "\\Windows\\System32\\en-US\\netprofmsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netprofmsvc.dll.mui")
Region:
id = 1653
start_va = 0x5a0000
end_va = 0x5a6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000005a0000"
filename = ""
Region:
id = 1654
start_va = 0x600000
end_va = 0x6fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1655
start_va = 0x700000
end_va = 0x7fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000700000"
filename = ""
Region:
id = 1656
start_va = 0x800000
end_va = 0x987fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000800000"
filename = ""
Region:
id = 1657
start_va = 0x990000
end_va = 0xb10fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000990000"
filename = ""
Region:
id = 1658
start_va = 0xb20000
end_va = 0xf1afff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000b20000"
filename = ""
Region:
id = 1659
start_va = 0xf20000
end_va = 0xf9ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000f20000"
filename = ""
Region:
id = 1660
start_va = 0xfa0000
end_va = 0xfe8fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-system.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-System.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-system.dat")
Region:
id = 1661
start_va = 0x1100000
end_va = 0x1106fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001100000"
filename = ""
Region:
id = 1662
start_va = 0x1200000
end_va = 0x12fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001200000"
filename = ""
Region:
id = 1663
start_va = 0x1300000
end_va = 0x13fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001300000"
filename = ""
Region:
id = 1664
start_va = 0x1400000
end_va = 0x14fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001400000"
filename = ""
Region:
id = 1665
start_va = 0x1500000
end_va = 0x15fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001500000"
filename = ""
Region:
id = 1666
start_va = 0x1600000
end_va = 0x16fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001600000"
filename = ""
Region:
id = 1667
start_va = 0x1700000
end_va = 0x17fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001700000"
filename = ""
Region:
id = 1668
start_va = 0x1800000
end_va = 0x27fffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-fontface.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-FontFace.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-fontface.dat")
Region:
id = 1669
start_va = 0x2800000
end_va = 0x28fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002800000"
filename = ""
Region:
id = 1670
start_va = 0x2900000
end_va = 0x29fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002900000"
filename = ""
Region:
id = 1671
start_va = 0x2a00000
end_va = 0x2d36fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "sortdefault.nls"
filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls")
Region:
id = 1672
start_va = 0x2f00000
end_va = 0x2ffffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002f00000"
filename = ""
Region:
id = 1673
start_va = 0x3100000
end_va = 0x31fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003100000"
filename = ""
Region:
id = 1674
start_va = 0x3200000
end_va = 0x32fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003200000"
filename = ""
Region:
id = 1675
start_va = 0x3300000
end_va = 0x33fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003300000"
filename = ""
Region:
id = 1676
start_va = 0x3400000
end_va = 0x34fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003400000"
filename = ""
Region:
id = 1677
start_va = 0x3500000
end_va = 0x35fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003500000"
filename = ""
Region:
id = 1678
start_va = 0x3600000
end_va = 0x36fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003600000"
filename = ""
Region:
id = 1679
start_va = 0x3700000
end_va = 0x37fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000003700000"
filename = ""
Region:
id = 1680
start_va = 0x5700000
end_va = 0x57fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000005700000"
filename = ""
Region:
id = 1681
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1682
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1683
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1684
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1685
start_va = 0x7ff7b2fa0000
end_va = 0x7ff7b2facfff
monitored = 0
entry_point = 0x7ff7b2fa3980
region_type = mapped_file
name = "svchost.exe"
filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe")
Region:
id = 1686
start_va = 0x7ff9ecf70000
end_va = 0x7ff9ecf7dfff
monitored = 0
entry_point = 0x7ff9ecf71460
region_type = mapped_file
name = "npmproxy.dll"
filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll")
Region:
id = 1687
start_va = 0x7ff9ed020000
end_va = 0x7ff9ed0aafff
monitored = 0
entry_point = 0x7ff9ed03d2a0
region_type = mapped_file
name = "netprofmsvc.dll"
filename = "\\Windows\\System32\\netprofmsvc.dll" (normalized: "c:\\windows\\system32\\netprofmsvc.dll")
Region:
id = 1688
start_va = 0x7ff9edaf0000
end_va = 0x7ff9edb69fff
monitored = 0
entry_point = 0x7ff9edb17630
region_type = mapped_file
name = "es.dll"
filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll")
Region:
id = 1689
start_va = 0x7ff9ede60000
end_va = 0x7ff9ede6cfff
monitored = 0
entry_point = 0x7ff9ede62650
region_type = mapped_file
name = "nsisvc.dll"
filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll")
Region:
id = 1690
start_va = 0x7ff9ee2b0000
end_va = 0x7ff9ee2bbfff
monitored = 0
entry_point = 0x7ff9ee2b14d0
region_type = mapped_file
name = "locationframeworkps.dll"
filename = "\\Windows\\System32\\LocationFrameworkPS.dll" (normalized: "c:\\windows\\system32\\locationframeworkps.dll")
Region:
id = 1691
start_va = 0x7ff9ee5c0000
end_va = 0x7ff9ee5d7fff
monitored = 0
entry_point = 0x7ff9ee5c5910
region_type = mapped_file
name = "nlaapi.dll"
filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll")
Region:
id = 1692
start_va = 0x7ff9ee730000
end_va = 0x7ff9ee758fff
monitored = 0
entry_point = 0x7ff9ee7424d0
region_type = mapped_file
name = "fontprovider.dll"
filename = "\\Windows\\System32\\FontProvider.dll" (normalized: "c:\\windows\\system32\\fontprovider.dll")
Region:
id = 1693
start_va = 0x7ff9ee760000
end_va = 0x7ff9ee901fff
monitored = 0
entry_point = 0x7ff9ee7ac2d0
region_type = mapped_file
name = "fntcache.dll"
filename = "\\Windows\\System32\\FntCache.dll" (normalized: "c:\\windows\\system32\\fntcache.dll")
Region:
id = 1694
start_va = 0x7ff9f0920000
end_va = 0x7ff9f0969fff
monitored = 0
entry_point = 0x7ff9f092ac30
region_type = mapped_file
name = "deviceaccess.dll"
filename = "\\Windows\\System32\\deviceaccess.dll" (normalized: "c:\\windows\\system32\\deviceaccess.dll")
Region:
id = 1695
start_va = 0x7ff9f0970000
end_va = 0x7ff9f09a2fff
monitored = 0
entry_point = 0x7ff9f097d5a0
region_type = mapped_file
name = "biwinrt.dll"
filename = "\\Windows\\System32\\biwinrt.dll" (normalized: "c:\\windows\\system32\\biwinrt.dll")
Region:
id = 1696
start_va = 0x7ff9f09b0000
end_va = 0x7ff9f0a41fff
monitored = 0
entry_point = 0x7ff9f09fa780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1697
start_va = 0x7ff9f0a50000
end_va = 0x7ff9f0ac8fff
monitored = 0
entry_point = 0x7ff9f0a67800
region_type = mapped_file
name = "geolocation.dll"
filename = "\\Windows\\System32\\Geolocation.dll" (normalized: "c:\\windows\\system32\\geolocation.dll")
Region:
id = 1698
start_va = 0x7ff9f0ad0000
end_va = 0x7ff9f0ae9fff
monitored = 0
entry_point = 0x7ff9f0adb670
region_type = mapped_file
name = "tzautoupdate.dll"
filename = "\\Windows\\System32\\tzautoupdate.dll" (normalized: "c:\\windows\\system32\\tzautoupdate.dll")
Region:
id = 1699
start_va = 0x7ff9f0b70000
end_va = 0x7ff9f0ba5fff
monitored = 0
entry_point = 0x7ff9f0b80070
region_type = mapped_file
name = "xmllite.dll"
filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll")
Region:
id = 1700
start_va = 0x7ff9f2bc0000
end_va = 0x7ff9f2cbffff
monitored = 0
entry_point = 0x7ff9f2c00f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 1701
start_va = 0x7ff9f3290000
end_va = 0x7ff9f3383fff
monitored = 0
entry_point = 0x7ff9f329a960
region_type = mapped_file
name = "ucrtbase.dll"
filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll")
Region:
id = 1702
start_va = 0x7ff9f38b0000
end_va = 0x7ff9f38cefff
monitored = 0
entry_point = 0x7ff9f38b5d30
region_type = mapped_file
name = "userenv.dll"
filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll")
Region:
id = 1703
start_va = 0x7ff9f3f80000
end_va = 0x7ff9f3fa8fff
monitored = 0
entry_point = 0x7ff9f3f94530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1704
start_va = 0x7ff9f4150000
end_va = 0x7ff9f4163fff
monitored = 0
entry_point = 0x7ff9f41552e0
region_type = mapped_file
name = "profapi.dll"
filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll")
Region:
id = 1705
start_va = 0x7ff9f4170000
end_va = 0x7ff9f417efff
monitored = 0
entry_point = 0x7ff9f4173210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1706
start_va = 0x7ff9f4aa0000
end_va = 0x7ff9f4c87fff
monitored = 0
entry_point = 0x7ff9f4acba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1707
start_va = 0x7ff9f4d20000
end_va = 0x7ff9f4d89fff
monitored = 0
entry_point = 0x7ff9f4d56d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1708
start_va = 0x7ff9f4e10000
end_va = 0x7ff9f4ec4fff
monitored = 0
entry_point = 0x7ff9f4e522e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1709
start_va = 0x7ff9f5360000
end_va = 0x7ff9f5367fff
monitored = 0
entry_point = 0x7ff9f5361ea0
region_type = mapped_file
name = "nsi.dll"
filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll")
Region:
id = 1710
start_va = 0x7ff9f5370000
end_va = 0x7ff9f541cfff
monitored = 0
entry_point = 0x7ff9f53881a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1711
start_va = 0x7ff9f6980000
end_va = 0x7ff9f6a9bfff
monitored = 0
entry_point = 0x7ff9f69c02b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1712
start_va = 0x7ff9f6aa0000
end_va = 0x7ff9f6b3cfff
monitored = 0
entry_point = 0x7ff9f6aa78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1713
start_va = 0x7ff9f6d30000
end_va = 0x7ff9f6d8afff
monitored = 0
entry_point = 0x7ff9f6d438b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1714
start_va = 0x7ff9f6d90000
end_va = 0x7ff9f6ee5fff
monitored = 0
entry_point = 0x7ff9f6d9a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1715
start_va = 0x7ff9f6f70000
end_va = 0x7ff9f70b2fff
monitored = 0
entry_point = 0x7ff9f6f98210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1716
start_va = 0x7ff9f70d0000
end_va = 0x7ff9f7190fff
monitored = 0
entry_point = 0x7ff9f70f0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1717
start_va = 0x7ff9f7540000
end_va = 0x7ff9f76c5fff
monitored = 0
entry_point = 0x7ff9f758ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1718
start_va = 0x7ff9f76d0000
end_va = 0x7ff9f7776fff
monitored = 0
entry_point = 0x7ff9f76e58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1719
start_va = 0x7ff9f7780000
end_va = 0x7ff9f79fcfff
monitored = 0
entry_point = 0x7ff9f7854970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1720
start_va = 0x7ff9f7a20000
end_va = 0x7ff9f7ac6fff
monitored = 0
entry_point = 0x7ff9f7a2b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1721
start_va = 0x7ff9f7ad0000
end_va = 0x7ff9f7c90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1722
start_va = 0xff0000
end_va = 0x10cefff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "segoeui.ttf"
filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf")
Region:
id = 1723
start_va = 0x1110000
end_va = 0x11d3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "segoeuisl.ttf"
filename = "\\Windows\\Fonts\\segoeuisl.ttf" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf")
Region:
id = 1724
start_va = 0x3800000
end_va = 0x3ffffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "~fontcache-s-1-5-18.dat"
filename = "\\Windows\\ServiceProfiles\\LocalService\\AppData\\Local\\FontCache\\~FontCache-S-1-5-18.dat" (normalized: "c:\\windows\\serviceprofiles\\localservice\\appdata\\local\\fontcache\\~fontcache-s-1-5-18.dat")
Region:
id = 1738
start_va = 0xff0000
end_va = 0x10b3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "segoeuisl.ttf"
filename = "\\Windows\\Fonts\\segoeuisl.ttf" (normalized: "c:\\windows\\fonts\\segoeuisl.ttf")
Region:
id = 1739
start_va = 0x5b0000
end_va = 0x5ddfff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000005b0000"
filename = ""
Region:
id = 1740
start_va = 0x1110000
end_va = 0x11e3fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "segoeuil.ttf"
filename = "\\Windows\\Fonts\\segoeuil.ttf" (normalized: "c:\\windows\\fonts\\segoeuil.ttf")
Region:
id = 1741
start_va = 0x2d40000
end_va = 0x2e1ffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 1751
start_va = 0x7ff9ec830000
end_va = 0x7ff9ec843fff
monitored = 0
entry_point = 0x7ff9ec831a50
region_type = mapped_file
name = "wlanradiomanager.dll"
filename = "\\Windows\\System32\\WlanRadioManager.dll" (normalized: "c:\\windows\\system32\\wlanradiomanager.dll")
Region:
id = 1752
start_va = 0x7ff9ed500000
end_va = 0x7ff9ed537fff
monitored = 0
entry_point = 0x7ff9ed518cc0
region_type = mapped_file
name = "iphlpapi.dll"
filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll")
Region:
id = 1753
start_va = 0x7ff9ee3b0000
end_va = 0x7ff9ee410fff
monitored = 0
entry_point = 0x7ff9ee3b4b50
region_type = mapped_file
name = "wlanapi.dll"
filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll")
Region:
id = 1754
start_va = 0x7ff9ec7b0000
end_va = 0x7ff9ec7c8fff
monitored = 0
entry_point = 0x7ff9ec7b2180
region_type = mapped_file
name = "bthradiomedia.dll"
filename = "\\Windows\\System32\\BthRadioMedia.dll" (normalized: "c:\\windows\\system32\\bthradiomedia.dll")
Region:
id = 1755
start_va = 0x7ff9f4230000
end_va = 0x7ff9f4272fff
monitored = 0
entry_point = 0x7ff9f4244b50
region_type = mapped_file
name = "cfgmgr32.dll"
filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll")
Region:
id = 1756
start_va = 0x7ff9f2d70000
end_va = 0x7ff9f2d96fff
monitored = 0
entry_point = 0x7ff9f2d77940
region_type = mapped_file
name = "devobj.dll"
filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll")
Region:
id = 1757
start_va = 0x7ff9ec790000
end_va = 0x7ff9ec7adfff
monitored = 0
entry_point = 0x7ff9ec791690
region_type = mapped_file
name = "bluetoothapis.dll"
filename = "\\Windows\\System32\\BluetoothApis.dll" (normalized: "c:\\windows\\system32\\bluetoothapis.dll")
Region:
id = 1758
start_va = 0x7ff9ed600000
end_va = 0x7ff9ed60afff
monitored = 0
entry_point = 0x7ff9ed601d30
region_type = mapped_file
name = "winnsi.dll"
filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll")
Region:
id = 1762
start_va = 0x7ff9f6f00000
end_va = 0x7ff9f6f6afff
monitored = 0
entry_point = 0x7ff9f6f190c0
region_type = mapped_file
name = "ws2_32.dll"
filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll")
Region:
id = 1763
start_va = 0x4000000
end_va = 0x41fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004000000"
filename = ""
Region:
id = 1764
start_va = 0x4000000
end_va = 0x40fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004000000"
filename = ""
Region:
id = 1772
start_va = 0x7ff9f3a20000
end_va = 0x7ff9f3a7bfff
monitored = 0
entry_point = 0x7ff9f3a36f70
region_type = mapped_file
name = "mswsock.dll"
filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll")
Region:
id = 1780
start_va = 0x7ff9f30f0000
end_va = 0x7ff9f3113fff
monitored = 0
entry_point = 0x7ff9f30f3260
region_type = mapped_file
name = "gpapi.dll"
filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll")
Region:
id = 1781
start_va = 0x4100000
end_va = 0x41fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004100000"
filename = ""
Region:
id = 1782
start_va = 0x7ff9ee2e0000
end_va = 0x7ff9ee3a7fff
monitored = 0
entry_point = 0x7ff9ee3213f0
region_type = mapped_file
name = "winhttp.dll"
filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll")
Region:
id = 1787
start_va = 0x7ff9f40f0000
end_va = 0x7ff9f413afff
monitored = 0
entry_point = 0x7ff9f40f35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1790
start_va = 0x4200000
end_va = 0x42fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004200000"
filename = ""
Region:
id = 1791
start_va = 0x7ff9ed4e0000
end_va = 0x7ff9ed4f5fff
monitored = 0
entry_point = 0x7ff9ed4e19f0
region_type = mapped_file
name = "dhcpcsvc6.dll"
filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll")
Region:
id = 1792
start_va = 0x7ff9ed4c0000
end_va = 0x7ff9ed4d9fff
monitored = 0
entry_point = 0x7ff9ed4c2430
region_type = mapped_file
name = "dhcpcsvc.dll"
filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll")
Region:
id = 1793
start_va = 0x7ff9f2b10000
end_va = 0x7ff9f2bb9fff
monitored = 0
entry_point = 0x7ff9f2b37910
region_type = mapped_file
name = "dnsapi.dll"
filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll")
Region:
id = 1794
start_va = 0x4300000
end_va = 0x43fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000004300000"
filename = ""
Region:
id = 1795
start_va = 0x7ff9ec320000
end_va = 0x7ff9ec329fff
monitored = 0
entry_point = 0x7ff9ec3214c0
region_type = mapped_file
name = "rasadhlp.dll"
filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll")
Thread:
id = 132
os_tid = 0x53c
Thread:
id = 133
os_tid = 0x538
Thread:
id = 134
os_tid = 0x534
Thread:
id = 135
os_tid = 0x530
Thread:
id = 136
os_tid = 0x52c
Thread:
id = 137
os_tid = 0x508
Thread:
id = 138
os_tid = 0x148
Thread:
id = 139
os_tid = 0x158
Thread:
id = 140
os_tid = 0x15c
Thread:
id = 141
os_tid = 0x14c
Thread:
id = 142
os_tid = 0x3e4
Thread:
id = 143
os_tid = 0x3e0
Thread:
id = 144
os_tid = 0x3dc
Thread:
id = 145
os_tid = 0x3c0
Thread:
id = 146
os_tid = 0x3bc
Thread:
id = 149
os_tid = 0x5b4
Thread:
id = 151
os_tid = 0x5d0
Thread:
id = 152
os_tid = 0x5f4
Process:
id = "10"
image_name = "taskhostw.exe"
filename = "c:\\windows\\system32\\taskhostw.exe"
page_root = "0x44d1f000"
os_pid = "0x544"
os_integrity_level = "0x4000"
os_privileges = "0xe60b1e890"
monitor_reason = "child_process"
parent_id = "8"
os_parent_pid = "0x3ec"
cmd_line = "taskhostw.exe TpmTasks"
cur_dir = "C:\\Windows\\system32\\"
os_username = "NT AUTHORITY\\SYSTEM"
bitness = "32"
os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xe], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\DcpSvc" [0xa], "NT SERVICE\\dmwappushservice" [0xa], "NT SERVICE\\DoSvc" [0xa], "NT SERVICE\\DsmSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\lfsvc" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\NcaSvc" [0xa], "NT SERVICE\\NetSetupSvc" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\RetailDemo" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\UsoSvc" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wlidsvc" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT SERVICE\\XboxNetApiSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cf9f" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe]
Region:
id = 1725
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1726
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1727
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1728
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1729
start_va = 0xe0000
end_va = 0xe0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000e0000"
filename = ""
Region:
id = 1730
start_va = 0xf0000
end_va = 0xf1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000f0000"
filename = ""
Region:
id = 1731
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1732
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1733
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1734
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1735
start_va = 0x7ff6f6ff0000
end_va = 0x7ff6f7008fff
monitored = 0
entry_point = 0x7ff6f6ff59b0
region_type = mapped_file
name = "taskhostw.exe"
filename = "\\Windows\\System32\\taskhostw.exe" (normalized: "c:\\windows\\system32\\taskhostw.exe")
Region:
id = 1736
start_va = 0x7ff9f7ad0000
end_va = 0x7ff9f7c90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1742
start_va = 0x500000
end_va = 0x5fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000500000"
filename = ""
Region:
id = 1743
start_va = 0x7ff9f4aa0000
end_va = 0x7ff9f4c87fff
monitored = 0
entry_point = 0x7ff9f4acba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1744
start_va = 0x7ff9f5370000
end_va = 0x7ff9f541cfff
monitored = 0
entry_point = 0x7ff9f53881a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1745
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1746
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1747
start_va = 0x100000
end_va = 0x1bdfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1748
start_va = 0x7ff9f6aa0000
end_va = 0x7ff9f6b3cfff
monitored = 0
entry_point = 0x7ff9f6aa78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1749
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1750
start_va = 0x7ff9f6980000
end_va = 0x7ff9f6a9bfff
monitored = 0
entry_point = 0x7ff9f69c02b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1796
start_va = 0x7ff9f7780000
end_va = 0x7ff9f79fcfff
monitored = 0
entry_point = 0x7ff9f7854970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1797
start_va = 0x7ff9f4d20000
end_va = 0x7ff9f4d89fff
monitored = 0
entry_point = 0x7ff9f4d56d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1798
start_va = 0x7ff9f70d0000
end_va = 0x7ff9f7190fff
monitored = 0
entry_point = 0x7ff9f70f0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1799
start_va = 0x600000
end_va = 0x72ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000600000"
filename = ""
Region:
id = 1800
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1801
start_va = 0x730000
end_va = 0x872fff
monitored = 0
entry_point = 0x758210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1868
start_va = 0x600000
end_va = 0x6dcfff
monitored = 0
entry_point = 0x65e0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1869
start_va = 0x720000
end_va = 0x72ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000720000"
filename = ""
Region:
id = 1870
start_va = 0x7ff9f4170000
end_va = 0x7ff9f417efff
monitored = 0
entry_point = 0x7ff9f4173210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1871
start_va = 0x1c0000
end_va = 0x1c6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1872
start_va = 0x7ff9f6d90000
end_va = 0x7ff9f6ee5fff
monitored = 0
entry_point = 0x7ff9f6d9a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1873
start_va = 0x7ff9f7540000
end_va = 0x7ff9f76c5fff
monitored = 0
entry_point = 0x7ff9f758ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Thread:
id = 148
os_tid = 0x548
Thread:
id = 150
os_tid = 0x580
Process:
id = "11"
image_name = "sihost.exe"
filename = "c:\\windows\\system32\\sihost.exe"
page_root = "0x377c7000"
os_pid = "0x61c"
os_integrity_level = "0x2000"
os_privileges = "0x800000"
monitor_reason = "child_process"
parent_id = "8"
os_parent_pid = "0x3ec"
cmd_line = "sihost.exe"
cur_dir = "C:\\Windows\\system32\\"
os_username = "XC64ZB\\RDhJ0CNFevzX"
bitness = "32"
os_groups = "XC64ZB\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:000118ee" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7]
Region:
id = 1811
start_va = 0x10000
end_va = 0x2ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000010000"
filename = ""
Region:
id = 1812
start_va = 0x30000
end_va = 0x44fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000030000"
filename = ""
Region:
id = 1813
start_va = 0x50000
end_va = 0xcffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000050000"
filename = ""
Region:
id = 1814
start_va = 0xd0000
end_va = 0xd3fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000000d0000"
filename = ""
Region:
id = 1815
start_va = 0xe0000
end_va = 0xe1fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000000e0000"
filename = ""
Region:
id = 1816
start_va = 0x200000
end_va = 0x3fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000200000"
filename = ""
Region:
id = 1817
start_va = 0x7ffe0000
end_va = 0x7ffeffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x000000007ffe0000"
filename = ""
Region:
id = 1818
start_va = 0x7df5fffc0000
end_va = 0x7df5fffe2fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5fffc0000"
filename = ""
Region:
id = 1819
start_va = 0x7df5ffff0000
end_va = 0x7ff5fffeffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffff0000"
filename = ""
Region:
id = 1820
start_va = 0x7ff7b4e20000
end_va = 0x7ff7b4e35fff
monitored = 0
entry_point = 0x7ff7b4e25190
region_type = mapped_file
name = "sihost.exe"
filename = "\\Windows\\System32\\sihost.exe" (normalized: "c:\\windows\\system32\\sihost.exe")
Region:
id = 1821
start_va = 0x7ff9f7ad0000
end_va = 0x7ff9f7c90fff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "ntdll.dll"
filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll")
Region:
id = 1822
start_va = 0x10000
end_va = 0x1ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000010000"
filename = ""
Region:
id = 1823
start_va = 0x540000
end_va = 0x63ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000540000"
filename = ""
Region:
id = 1824
start_va = 0x7df5ffec0000
end_va = 0x7df5fffbffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00007df5ffec0000"
filename = ""
Region:
id = 1825
start_va = 0x7ff9f4aa0000
end_va = 0x7ff9f4c87fff
monitored = 0
entry_point = 0x7ff9f4acba70
region_type = mapped_file
name = "kernelbase.dll"
filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll")
Region:
id = 1826
start_va = 0x7ff9f5370000
end_va = 0x7ff9f541cfff
monitored = 0
entry_point = 0x7ff9f53881a0
region_type = mapped_file
name = "kernel32.dll"
filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll")
Region:
id = 1827
start_va = 0xf0000
end_va = 0x1adfff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "locale.nls"
filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls")
Region:
id = 1828
start_va = 0x7ff9f6aa0000
end_va = 0x7ff9f6b3cfff
monitored = 0
entry_point = 0x7ff9f6aa78a0
region_type = mapped_file
name = "msvcrt.dll"
filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll")
Region:
id = 1829
start_va = 0x400000
end_va = 0x47ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000400000"
filename = ""
Region:
id = 1830
start_va = 0x7ff9f7780000
end_va = 0x7ff9f79fcfff
monitored = 0
entry_point = 0x7ff9f7854970
region_type = mapped_file
name = "combase.dll"
filename = "\\Windows\\System32\\combase.dll" (normalized: "c:\\windows\\system32\\combase.dll")
Region:
id = 1831
start_va = 0x7ff9f6980000
end_va = 0x7ff9f6a9bfff
monitored = 0
entry_point = 0x7ff9f69c02b0
region_type = mapped_file
name = "rpcrt4.dll"
filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll")
Region:
id = 1832
start_va = 0x7ff9f4d20000
end_va = 0x7ff9f4d89fff
monitored = 0
entry_point = 0x7ff9f4d56d50
region_type = mapped_file
name = "bcryptprimitives.dll"
filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll")
Region:
id = 1833
start_va = 0x7ff9f6d30000
end_va = 0x7ff9f6d8afff
monitored = 0
entry_point = 0x7ff9f6d438b0
region_type = mapped_file
name = "sechost.dll"
filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll")
Region:
id = 1834
start_va = 0x7ff9f76d0000
end_va = 0x7ff9f7776fff
monitored = 0
entry_point = 0x7ff9f76e58d0
region_type = mapped_file
name = "advapi32.dll"
filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll")
Region:
id = 1835
start_va = 0x20000
end_va = 0x26fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000020000"
filename = ""
Region:
id = 1836
start_va = 0x7ff9f3640000
end_va = 0x7ff9f3670fff
monitored = 0
entry_point = 0x7ff9f3647d10
region_type = mapped_file
name = "ntmarta.dll"
filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll")
Region:
id = 1837
start_va = 0x7ff9f21c0000
end_va = 0x7ff9f227dfff
monitored = 0
entry_point = 0x7ff9f2202d40
region_type = mapped_file
name = "coremessaging.dll"
filename = "\\Windows\\System32\\CoreMessaging.dll" (normalized: "c:\\windows\\system32\\coremessaging.dll")
Region:
id = 1838
start_va = 0x7ff9ebcf0000
end_va = 0x7ff9ebf77fff
monitored = 0
entry_point = 0x7ff9ebd4f670
region_type = mapped_file
name = "coreuicomponents.dll"
filename = "\\Windows\\System32\\CoreUIComponents.dll" (normalized: "c:\\windows\\system32\\coreuicomponents.dll")
Region:
id = 1839
start_va = 0x480000
end_va = 0x4fffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000000480000"
filename = ""
Region:
id = 1840
start_va = 0x7ff9f4170000
end_va = 0x7ff9f417efff
monitored = 0
entry_point = 0x7ff9f4173210
region_type = mapped_file
name = "kernel.appcore.dll"
filename = "\\Windows\\System32\\kernel.appcore.dll" (normalized: "c:\\windows\\system32\\kernel.appcore.dll")
Region:
id = 1841
start_va = 0x7ff9f6d90000
end_va = 0x7ff9f6ee5fff
monitored = 0
entry_point = 0x7ff9f6d9a8d0
region_type = mapped_file
name = "user32.dll"
filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll")
Region:
id = 1842
start_va = 0x7ff9f7540000
end_va = 0x7ff9f76c5fff
monitored = 0
entry_point = 0x7ff9f758ffc0
region_type = mapped_file
name = "gdi32.dll"
filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll")
Region:
id = 1843
start_va = 0x7ff9f4e10000
end_va = 0x7ff9f4ec4fff
monitored = 0
entry_point = 0x7ff9f4e522e0
region_type = mapped_file
name = "shcore.dll"
filename = "\\Windows\\System32\\SHCore.dll" (normalized: "c:\\windows\\system32\\shcore.dll")
Region:
id = 1844
start_va = 0x7ff9ef2e0000
end_va = 0x7ff9ef415fff
monitored = 0
entry_point = 0x7ff9ef30f350
region_type = mapped_file
name = "wintypes.dll"
filename = "\\Windows\\System32\\WinTypes.dll" (normalized: "c:\\windows\\system32\\wintypes.dll")
Region:
id = 1845
start_va = 0x1b0000
end_va = 0x1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 1846
start_va = 0x1b0000
end_va = 0x1b6fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001b0000"
filename = ""
Region:
id = 1847
start_va = 0x1c0000
end_va = 0x1cffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001c0000"
filename = ""
Region:
id = 1848
start_va = 0x500000
end_va = 0x538fff
monitored = 0
entry_point = 0x5012f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1849
start_va = 0x640000
end_va = 0x7c7fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000640000"
filename = ""
Region:
id = 1850
start_va = 0x7ff9f6b40000
end_va = 0x7ff9f6b7afff
monitored = 0
entry_point = 0x7ff9f6b412f0
region_type = mapped_file
name = "imm32.dll"
filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll")
Region:
id = 1851
start_va = 0x7d0000
end_va = 0x950fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000007d0000"
filename = ""
Region:
id = 1852
start_va = 0x960000
end_va = 0x1d5ffff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000960000"
filename = ""
Region:
id = 1853
start_va = 0x1d0000
end_va = 0x1d0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001d0000"
filename = ""
Region:
id = 1854
start_va = 0x1e0000
end_va = 0x1e0fff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000001e0000"
filename = ""
Region:
id = 1855
start_va = 0x1d60000
end_va = 0x1e3cfff
monitored = 0
entry_point = 0x1dbe0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1856
start_va = 0x1f0000
end_va = 0x1f0fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x00000000001f0000"
filename = ""
Region:
id = 1857
start_va = 0x7ff9f7a20000
end_va = 0x7ff9f7ac6fff
monitored = 0
entry_point = 0x7ff9f7a2b4d0
region_type = mapped_file
name = "clbcatq.dll"
filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll")
Region:
id = 1858
start_va = 0x500000
end_va = 0x500fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000500000"
filename = ""
Region:
id = 1859
start_va = 0x7ff9ec100000
end_va = 0x7ff9ec11dfff
monitored = 0
entry_point = 0x7ff9ec105340
region_type = mapped_file
name = "desktopshellext.dll"
filename = "\\Windows\\System32\\DesktopShellExt.dll" (normalized: "c:\\windows\\system32\\desktopshellext.dll")
Region:
id = 1860
start_va = 0x7ff9ec0e0000
end_va = 0x7ff9ec0f1fff
monitored = 0
entry_point = 0x7ff9ec0e5110
region_type = mapped_file
name = "windows.shell.servicehostbuilder.dll"
filename = "\\Windows\\System32\\Windows.Shell.ServiceHostBuilder.dll" (normalized: "c:\\windows\\system32\\windows.shell.servicehostbuilder.dll")
Region:
id = 1861
start_va = 0x1d60000
end_va = 0x1e5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001d60000"
filename = ""
Region:
id = 1862
start_va = 0x1e60000
end_va = 0x1f3cfff
monitored = 0
entry_point = 0x1ebe0b0
region_type = mapped_file
name = "rpcss.dll"
filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll")
Region:
id = 1863
start_va = 0x1e60000
end_va = 0x1edffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001e60000"
filename = ""
Region:
id = 1864
start_va = 0x1ee0000
end_va = 0x1f5ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001ee0000"
filename = ""
Region:
id = 1865
start_va = 0x1f60000
end_va = 0x1fdffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000001f60000"
filename = ""
Region:
id = 1866
start_va = 0x7ff9f15c0000
end_va = 0x7ff9f1a52fff
monitored = 0
entry_point = 0x7ff9f15cf760
region_type = mapped_file
name = "actxprxy.dll"
filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll")
Region:
id = 1867
start_va = 0x7ff9ebc10000
end_va = 0x7ff9ebce9fff
monitored = 0
entry_point = 0x7ff9ebc603b0
region_type = mapped_file
name = "modernexecserver.dll"
filename = "\\Windows\\System32\\modernexecserver.dll" (normalized: "c:\\windows\\system32\\modernexecserver.dll")
Region:
id = 1874
start_va = 0x7ff9f70d0000
end_va = 0x7ff9f7190fff
monitored = 0
entry_point = 0x7ff9f70f0da0
region_type = mapped_file
name = "oleaut32.dll"
filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll")
Region:
id = 1875
start_va = 0x7ff9f40f0000
end_va = 0x7ff9f413afff
monitored = 0
entry_point = 0x7ff9f40f35f0
region_type = mapped_file
name = "powrprof.dll"
filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll")
Region:
id = 1876
start_va = 0x7ff9f2eb0000
end_va = 0x7ff9f2ed9fff
monitored = 0
entry_point = 0x7ff9f2eb8b90
region_type = mapped_file
name = "rmclient.dll"
filename = "\\Windows\\System32\\rmclient.dll" (normalized: "c:\\windows\\system32\\rmclient.dll")
Region:
id = 1877
start_va = 0x7ff9ec090000
end_va = 0x7ff9ec0dafff
monitored = 0
entry_point = 0x7ff9ec0a7b70
region_type = mapped_file
name = "veeventdispatcher.dll"
filename = "\\Windows\\System32\\VEEventDispatcher.dll" (normalized: "c:\\windows\\system32\\veeventdispatcher.dll")
Region:
id = 1878
start_va = 0x7ff9f2bc0000
end_va = 0x7ff9f2cbffff
monitored = 0
entry_point = 0x7ff9f2c00f80
region_type = mapped_file
name = "twinapi.appcore.dll"
filename = "\\Windows\\System32\\twinapi.appcore.dll" (normalized: "c:\\windows\\system32\\twinapi.appcore.dll")
Region:
id = 1879
start_va = 0x7ff9f3f80000
end_va = 0x7ff9f3fa8fff
monitored = 0
entry_point = 0x7ff9f3f94530
region_type = mapped_file
name = "bcrypt.dll"
filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll")
Region:
id = 1881
start_va = 0x7ff9f09b0000
end_va = 0x7ff9f0a41fff
monitored = 0
entry_point = 0x7ff9f09fa780
region_type = mapped_file
name = "msvcp110_win.dll"
filename = "\\Windows\\System32\\msvcp110_win.dll" (normalized: "c:\\windows\\system32\\msvcp110_win.dll")
Region:
id = 1882
start_va = 0x1fe0000
end_va = 0x2122fff
monitored = 0
entry_point = 0x2008210
region_type = mapped_file
name = "ole32.dll"
filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll")
Region:
id = 1885
start_va = 0x510000
end_va = 0x511fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000510000"
filename = ""
Region:
id = 1886
start_va = 0x520000
end_va = 0x520fff
monitored = 1
entry_point = 0x0
region_type = pagefile_backed
name = "pagefile_0x0000000000520000"
filename = ""
Region:
id = 1887
start_va = 0x1fe0000
end_va = 0x20bffff
monitored = 0
entry_point = 0x0
region_type = mapped_file
name = "kernelbase.dll.mui"
filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui")
Region:
id = 1888
start_va = 0x20c0000
end_va = 0x213ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x00000000020c0000"
filename = ""
Region:
id = 1889
start_va = 0x7ff9f2a70000
end_va = 0x7ff9f2b05fff
monitored = 0
entry_point = 0x7ff9f2a95570
region_type = mapped_file
name = "uxtheme.dll"
filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll")
Region:
id = 1890
start_va = 0x2140000
end_va = 0x233ffff
monitored = 1
entry_point = 0x0
region_type = private
name = "private_0x0000000002140000"
filename = ""
Region:
id = 1892
start_va = 0x7ff9ebbd0000
end_va = 0x7ff9ebc00fff
monitored = 0
entry_point = 0x7ff9ebbd3400
region_type = mapped_file
name = "clipboardserver.dll"
filename = "\\Windows\\System32\\ClipboardServer.dll" (normalized: "c:\\windows\\system32\\clipboardserver.dll")
Region:
id = 1893
start_va = 0x7ff9ebb70000
end_va = 0x7ff9ebbccfff
monitored = 0
entry_point = 0x7ff9ebb80080
region_type = mapped_file
name = "activationmanager.dll"
filename = "\\Windows\\System32\\ActivationManager.dll" (normalized: "c:\\windows\\system32\\activationmanager.dll")
Thread:
id = 155
os_tid = 0x620
Thread:
id = 156
os_tid = 0x624
Thread:
id = 157
os_tid = 0x628
Thread:
id = 158
os_tid = 0x62c
Thread:
id = 159
os_tid = 0x630
Thread:
id = 160
os_tid = 0x634
Thread:
id = 163
os_tid = 0x640